Back to Top

Requirements of the Federal Cybersecurity Workforce Assessment Act

Monday, August 1, 2016
Requirements of the Federal Cybersecurity Workforce Assessment Act

The Federal Cybersecurity Workforce Assessment Act (Act) is contained in the Consolidated Appropriations Act of 2016 (Public Law 114-113) and was enacted on December 18, 2015 (see pages 735-737 at  The Act furthers the work the U.S. Office of Personnel Management (OPM) and agencies have begun to identify the Federal cybersecurity workforce (reference the July 2013 Special Cybersecurity Workforce Project Memorandum at  It also positions us to improve our workforce planning capabilities for this critical workforce and promotes collaboration in implementation among agencies, OPM, and the National Initiative for Cybersecurity Education (NICE).                            

While OPM is charged with leading the Government-wide implementation of some of the requirements within the Act, other requirements must be carried out by agencies.  Below is information regarding the agency requirements outlined within the Act.  In particular, we want to draw your attention to the timelines associated with each deliverable. 

Overview of the Act’s Requirements and Timeframes 

  • By December 2016:  Agencies will conduct and report a baseline assessment of their existing workforce, identifying: 1) the percentage of staff with Information Technology, Cybersecurity, or Cyber-related functions who currently hold appropriate industry-recognized certifications; 2) the level of preparedness of staff without credentials to take certification exams; and 3) a strategy for mitigating any gaps identified with appropriate training and certification for existing staff.  Agencies must report their findings to Congress by December 2016.
  •  By January 2017:  OPM will work with NICE to revise our cybersecurity data standard coding structure in the Enterprise Human Resources Integration (EHRI) system to fully align with the NICE Workforce Framework, which is currently undergoing revisions.  Agencies will begin applying the revised cyber EHRI codes to positions with Information Technology, Cybersecurity, and Cyber-related functions.  We will use a phased approach to agency application of the revised cyber codes, targeted to begin in October 2016.  Agencies and OPM will collaborate to determine how to identify and code Information Technology, Cybersecurity, and Cyber-related position vacancies.
  • By December 2017:  Agencies will complete the revised coding of Information Technology, Cybersecurity, and Cyber-related encumbered civilian positions and vacancies.
  • Beginning December 2018 through 2022:  Agencies will annually identify Information Technology, Cybersecurity, and Cyber-related work roles of critical need in their civilian workforce and report to OPM describing the roles and substantiating the critical need designation.  OPM will collaborate with agencies and NICE to define Information Technology, Cybersecurity, and Cyber-related work roles of “critical need.”

Because it is important for us to collaborate to find the best ways to implement the Act, we are coordinating with Government-wide Councils and NICE networks to garner their insights about how agencies could leverage best practices for implementing requirements within the law as some requirements, such as the assessment of certifications, are new.  We will share guidance and recommendations on our MAX page as we work together to implement the Act.  (Please see 

If you have questions, please contact Shanaz Porter at or (202) 606-1005.  We look forward to collaborating with you on this important work. 

cc:  Chief Human Capital Officers, Deputy Chief Human Capital Officers, Chief Learning Officers, and Chief Information Officers