Establishing a Cyber Workforce Action Plan
The next presidential administration should establish a comprehensive Cyber Workforce Action Plan to address the critical shortage of cybersecurity professionals and bolster national security. This plan encompasses innovative educational approaches, including micro-credentials, stackable certifications, digital badges, and more, to create flexible and accessible pathways for individuals at all career stages to acquire and demonstrate cybersecurity competencies.
The initiative will be led by the White House Office of the National Cyber Director (ONCD) in collaboration with key agencies such as the Department of Education (DoE), Department of Homeland Security (DHS), National Institute of Standards and Technology (NIST), and National Security Agency (NSA). It will prioritize enhancing and expanding existing initiatives—such as the CyberCorps: Scholarship for Service program that recruits and places talent in federal agencies—while also spearheading new engagements with the private sector and its critical infrastructure vulnerabilities. To ensure alignment with industry needs, the Action Plan will foster strong partnerships between government, educational institutions, and the private sector, particularly focusing on real-world learning opportunities.
This Action Plan also emphasizes the importance of diversity and inclusion by actively recruiting individuals from underrepresented groups, including women, people of color, veterans, and neurodivergent individuals, into the cybersecurity workforce. In addition, the plan will promote international cooperation, with programs to facilitate cybersecurity workforce development globally. Together, these efforts aim to close the cybersecurity skills gap, enhance national defense against evolving cyber threats, and position the United States as a global leader in cybersecurity education and workforce development.
Challenge and Opportunity
The United States and its allies face a critical shortage of cybersecurity professionals, in both the public and private sectors. This shortage poses significant risks to our national security and economic competitiveness in an increasingly digital world.
In the federal government, the cybersecurity workforce is aging rapidly, with only about 3% of information technology (IT) specialists under 30 years old. Meanwhile, nearly 15% of the federal cyber workforce is eligible for retirement. This demographic imbalance threatens the government’s ability to defend against sophisticated and evolving cyber threats.
The private sector faces similar challenges. According to recent estimates, there are nearly half a million unfilled cybersecurity positions in the United States. This gap is expected to grow as cyber threats become more complex and pervasive across all industries. Small and medium-sized businesses are particularly vulnerable, often lacking the resources to compete for scarce cyber talent.
The cybersecurity talent shortage extends beyond our borders, affecting our allies as well. As cyber threats from adversarial nation states become increasingly global in nature, our international partners’ ability to defend against these threats directly impacts U.S. national security. Many of our allies, particularly in Eastern Europe and Southeast Asia, lack robust cybersecurity education and training programs, further exacerbating the global skills gap.
A key factor contributing to this shortage is the lack of accessible, flexible pathways into cybersecurity careers. Traditional education and training programs often fail to keep pace with rapidly evolving technology and threat landscapes. Moreover, they frequently overlook the potential of career changers and nontraditional students who could bring valuable diverse perspectives to the field.
However, this challenge presents a unique opportunity to revolutionize cybersecurity education and workforce development. By leveraging innovative approaches such as apprenticeships, micro-credentials, stackable certifications, peer-to-peer learning platforms, digital badges, and competition-based assessments, we can create more agile and responsive training programs. These methods can provide learners with immediately applicable skills while allowing for continuous upskilling as the field evolves.
Furthermore, there’s an opportunity to enhance cybersecurity awareness and basic skills among all American workers, not just those in dedicated cyber roles. As digital technologies permeate every aspect of modern work, a baseline level of cyber hygiene and security consciousness is becoming essential across all sectors.
By addressing these challenges through a comprehensive Cyber Workforce Action Plan, we can not only strengthen our national cybersecurity posture but also create new pathways to well-paying, high-demand jobs for Americans from all backgrounds. This initiative has the potential to position the United States as a global leader in cyber workforce development, enhancing both our national security and our economic competitiveness in the digital age.
Evidence of Existing Initiatives
While numerous excellent cybersecurity workforce development initiatives exist, they often operate in isolation, lacking cohesion and coordination. ONCD is positioned to leverage its whole-of-government approach and the groundwork laid by its National Cyber Workforce and Education Strategy (NCWES) to unite these disparate efforts. By bringing together the strengths of various initiatives and their stakeholders, ONCD can transform high-level strategies into concrete, actionable steps. This coordinated approach will maximize the impact of existing resources, reduce duplication of efforts, and create a more robust and adaptable cybersecurity workforce development ecosystem. This proposed Action Plan is the vehicle to turn these collective workforce-minded strategies into tangible, measurable outcomes.
At the foundation of this plan lies the NICE Cybersecurity Workforce Framework, developed by NIST. This common lexicon for cybersecurity work roles and competencies provides the essential structure upon which we can build. The Cyber Workforce Action Plan seeks to expand on this foundation by creating standardized assessments and implementation guidelines that can be adopted across both public and private sectors.
Micro-credentials, stackable certifications, digital badges, and other innovations in accessible education—as demonstrated by programs like SANS Institute’s GIAC certifications and CompTIA’s offerings—form a core component of the proposed plan. These modular, skills-based learning approaches allow for rapid validation of specific competencies—a crucial feature in the fast-evolving cybersecurity landscape. The Action Plan aims to standardize and coordinate these and similar efforts, ensuring widespread recognition and adoption of accessible credentials across industries.
The array of gamification and competition-based learning approaches—including but not limited to National Cyber League, SANS NetWars, and CyberPatriot—are also exemplary starting points that would benefit from greater federal engagement and coordination. By formalizing these methods within education and workforce development programs, the government can harness their power to simulate real-world scenarios and drive engagement at a national scale.
Incorporating lessons learned from the federal government’s previous DoE CTE CyberNet program, the National Science Foundation’s (NSF) Scholarship for Service Program (SFS), and the National Security Agency’s (NSA) GenCyber camps—the Action Plan emphasizes the importance of early engagement (the middle grades and early high school years) and practical, hands-on learning experiences. By extending these principles across all levels of education and professional development, we can create a continuous pathway from high school through to advanced career stages.
A Cyber Workforce Action Plan would provide a unifying praxis to standardize competency assessments, create clear pathways for career progression, and adapt to the evolving needs of both the public and private sectors. By building on the successes of existing initiatives and introducing innovative solutions to fill critical gaps in the cybersecurity talent pipeline, we can create a more robust, diverse, and skilled cybersecurity workforce capable of meeting the complex challenges of our digital future.
Plan of Action
Recommendation 1. Create a Cyber Workforce Action Plan.
ONCD will develop and oversee the plan, in close collaboration with DoE, NIST, NSA, and other relevant agencies. The plan has three distinct components:
1. Develop standardized assessments aligned with the NICE framework. ONCD will work with NIST to create a suite of standardized assessments to evaluate cybersecurity competencies that:
- Cover the full range of knowledge, skills, and abilities defined in the NICE framework.
- Include both theoretical knowledge tests and practical, scenario-based evaluations.
- Be regularly updated to reflect evolving cybersecurity threats and technologies.
- Be designed with input from both government and industry cybersecurity professionals to ensure relevance and applicability.
2. Establish a system of stackable and portable micro-credentials. To provide flexible and accessible pathways into cybersecurity careers, ONCD will work with DoE, NIST, and the private sector to help develop and support systems of micro-credentials that are:
- Aligned with specific competencies in the NICE framework: NIST, as the national standards-setting body, will issue these credentials to ensure alignment with the NICE framework. This will provide legitimacy and broad recognition across industries.
- Stackable, allowing learners to build towards larger certifications or degrees: These credentials will be designed to allow individuals to accumulate certifications over time, ultimately leading to more comprehensive qualifications or degrees.
- Portable across different sectors and organizations: The micro-credentials will be recognized by both government agencies and private-sector employers, ensuring they have value regardless of where an individual seeks employment.
- Recognized and valued by both government agencies and private-sector employers: By working closely with the private sector—where credentialing systems like those from CompTIA and Google are already advanced—the ONCD will help ensure government-issued credentials are not duplicative but complementary to existing industry standards. NIST’s involvement, combined with input from private-sector leaders, will provide confidence that these credentials are relevant and accepted in both public and private sectors.
- Designed to facilitate rapid upskilling and reskilling in response to evolving cybersecurity needs: Given the rapidly changing landscape of cybersecurity threats, these micro-credentials will be regularly updated to reflect the most current technologies and skills, enabling professionals to remain agile and competitive.
3. Integrate more closely with more federal initiatives. The Action Plan will be integrated with existing federal cybersecurity programs and initiatives, including:
- DHS’s Cybersecurity Talent Management System
- DoD’s Cyber Excepted Service
- NIST’s NICE framework
- NSF’s CyberCorps SFS program
- NSA’s GenCyber camps
This proposal emphasizes stronger integration with existing federal initiatives and greater collaboration with the private sector. Instead of creating entirely new credentialing standards, ONCD will explore opportunities to leverage widely adopted commercial certifications, such as those from Google, CompTIA, and other private-sector leaders. By selecting and promoting recognized commercial standards where applicable, ONCD can streamline efforts, avoiding duplication and ensuring the cybersecurity workforce development approach is aligned with what is already successful in industry. Where necessary, ONCD will work with NIST and industry professionals to ensure these commercial certifications meet federal needs, creating a more cohesive and efficient approach across both government and industry. This integrated public-private strategy will allow ONCD to offer a clear leadership structure and accountability mechanism while respecting and utilizing commercial technology and standards to address the scale and complexity of the cybersecurity workforce challenge.
The Cyber Workforce Action Plan will emphasize strong collaborations with the private sector, including the establishment of a Federal Cybersecurity Curriculum Advisory Board composed of experts from relevant federal agencies and leading private-sector companies. This board will work directly with universities to develop model curricula that incorporate the latest cybersecurity tools, techniques, and threat landscapes, ensuring that graduates are well-prepared for the specific challenges faced by both federal and private-sector cybersecurity professionals.
To provide hands-on learning opportunities, the Action Plan will include a new National Cyber Internship Program. Managed by the Department of Labor in partnership with DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and leading technology companies, the program will match students with government agencies and private-sector companies. An online platform will be developed, modeled after successful programs like Hacking for Defense, where industry partners can propose real-world cybersecurity projects for student teams.
To incentivize industry participation, the General Services Administration (GSA) and DoD will update federal procurement guidelines to require companies bidding on cybersecurity-related contracts to certify that they offer internship or early-career opportunities for cybersecurity professionals. Additionally, CISA will launch a “Cybersecurity Employer of Excellence” certification program, which will be a prerequisite for companies bidding on certain cybersecurity-related federal contracts.
The Action Plan will also address the global nature of cybersecurity challenges by incorporating international cooperation elements. This includes adapting the plan for international use in strategically important regions, facilitating joint training programs and professional exchanges with allied nations, and promoting global standardization of cybersecurity education through collaboration with international standards organizations.
Ultimately, this effort intends to implement a national standard for cybersecurity competencies—providing clear, accessible pathways for career progression and enabling more agile and responsive workforce development in this critical field.
Recommendation 2. Implement an enhanced CyberCorps fellowship program.
ONCD should expand the NSF’s CyberCorps Scholarship for Service program as an immediate, high-impact initiative. Key features of the expanded CyberCorps fellowship program include:
1. Comprehensive talent pipeline: While maintaining the current SFS focus on students, the enhanced CyberCorps will also target recent graduates and early-career professionals with 1–5 years of work experience. This expansion addresses immediate workforce needs while continuing to invest in future talent. The program will offer competitive salaries, benefits, and loan forgiveness options to attract top talent from both academic and private-sector backgrounds.
2. Multiagency exposure and optional rotations: While cross-sector exposure remains valuable for building a holistic understanding of cybersecurity challenges, the rotational model will be optional or limited based on specific agency needs. Fellows may be offered the opportunity to rotate between agencies or sectors only if their skill set and the hosting agency’s environment are conducive to short-term placements. For fellows placed in agencies or sectors where longer ramp-up times are expected, a deeper, longer-term placement may be more effective. Drawing on lessons from the Presidential Innovation Fellows and the U.S. Digital Corps, the program will emphasize flexibility to ensure that fellows can make meaningful contributions within the time frame and that knowledge transfer between sectors remains a core objective.
3. Advanced mentorship and leadership development: Building on the SFS model, the expanded program will foster a strong community of cyber professionals through cohort activities and mentorship pairings with senior leaders across government and industry. A new emphasis on leadership training will prepare fellows for senior roles in government cybersecurity.
4. Focus on emerging technologies: Complementing the SFS program’s core cybersecurity curriculum, the expanded CyberCorps will emphasize cutting-edge areas such as artificial intelligence in cybersecurity, quantum computing, and advanced threat detection. This focus will prepare fellows to address future cybersecurity challenges.
5. Extended impact through education and mentorship: The program will encourage fellows to become cybersecurity educators and mentors in their communities after their service, extending the program’s impact beyond government service and strengthening America’s overall cyber workforce.
By implementing these enhancements to the CyberCorps program as a first step and quick win, the Action Plan will initiate a more comprehensive approach to federal cybersecurity workforce development. The enhanced CyberCorps fellowship program will also emphasize diversity and inclusion to address the critical shortage of cybersecurity professionals and bring fresh perspectives to cyber challenges. The program will actively recruit individuals from underrepresented groups, including women, people of color, veterans, and neurodivergent individuals.
To achieve this, the program will partner with organizations like Girls Who Code and the Hispanic IT Executive Council to promote cybersecurity careers and expand the applicant pool. The Department of Labor, in conjunction with the NSF, will establish a Cyber Opportunity Fund to provide additional scholarships and grants for individuals from underrepresented groups pursuing cybersecurity education through the CyberCorps program.
In addition, the program will develop standardized apprenticeship components that provide on-the-job training and clear pathways to full-time employment, with a focus on recruiting from diverse industries and backgrounds. Furthermore, partnerships with Historically Black Colleges and Universities, Hispanic-Serving Institutions, and Tribal Colleges and Universities will be strengthened to enhance their cybersecurity programs and create a pipeline of diverse talent for the CyberCorps program.
The CyberCorps program will expand its scope to include an international component, allowing for exchanges with allied nations’ cybersecurity agencies and bringing international students to U.S. universities for advanced studies. This will help position the United States as a global leader in cybersecurity education and training while fostering a worldwide community of professionals capable of responding effectively to evolving cyber threats.
By incorporating these elements, the enhanced CyberCorps fellowship program will not only address immediate federal cybersecurity needs but also contribute to building a diverse, skilled, and globally aware cybersecurity workforce for the future.
Implementation Considerations
To successfully establish and execute the comprehensive Action Plan and its associated initiatives, careful planning and coordination across multiple agencies and stakeholders will be essential. Below are some of the key timeline and funding considerations the ONCD should factor into its implementation.
Key milestones and actions for the first two years
Months 1–6:
- Create the Cyber Workforce Action Plan as a roadmap to implementing ONCD’s NCWES.
- Form interagency working group and private-sector advisory board.
- NIST’s Information Technology Laboratory, in collaboration with industry partners, will begin the development of the standardized assessment system and micro-credentials framework.
- Initiate the Federal Cybersecurity Curriculum Advisory Board.
- Launch the expanded CyberCorps fellowship program recruitment.
Months 7–12:
- Implement pilot programs for standardized assessments and micro-credentials.
- Begin first cohort of expanded CyberCorps fellows.
- Launch diversity and inclusion initiatives, including the “Cyber for All” awareness campaign.
- Initiate the National Cybersecurity Internship Program.
- Begin development of the Cybersecurity Employer of Excellence recognition program.
Months 13–18:
- Pilot standardized assessments and micro-credentials system in select agencies and educational institutions, with full rollout anticipated after evaluation and adjustments based on feedback.
- Expand CyberCorps program and university partnerships.
- Implement private-sector internship and project-based learning programs.
- Launch the International Cybersecurity Workforce Alliance.
Months 19–24:
- Implement tax incentives for industry participation in workforce development.
- Establish the Cybersecurity Development Fund for international capacity building.
- Conduct first annual review of diversity and inclusion metrics in federal cyber workforce.
Program evaluation and quality assurance
Beyond these key milestones, the Action Plan must establish clear evaluation frameworks to ensure program quality and effectiveness, particularly for integrating non-federal education programs into federal hiring pathways. For example, to address OPM’s need for evaluating non-federal technical and career education programs under the Recent Graduates Program, the Action Plan will implement the following evaluation framework:
- Alignment with NICE framework competencies (minimum 80% coverage of core competencies)
- Completion of NIST-approved standardized technical assessments
- Documentation of supervised practical experience (minimum 400 hours)
- Evidence of quality assurance processes comparable to registered apprenticeship programs
- Regular curriculum updates (minimum annually) to reflect current security threats
- Industry partnership validation through the Cybersecurity Employer of Excellence program
The implementation of these criteria will be overseen by the same advisory board established in Months 1-6, expanding their scope to include program evaluation and certification. This approach leverages existing governance structures while providing OPM with quantifiable metrics to evaluate non-federal program graduates.
Budgetary, resource, and personnel needs
The estimated annual budget for the proposed initiative ranges from $125 million to $200 million. This range considers cost-effective resource allocation strategies, including the integration of existing platforms and focused partnerships. Key components of the program include:
- Staffing: A core team of 15–20 full-time employees will oversee the centralized program office, focusing on high-level coordination and oversight. Specialized tasks such as curriculum development and assessment design will be contracted to external partners, reducing the need for a larger in-house team.
- IT infrastructure: Rather than building new systems from scratch, the initiative will use existing platforms and credentialing technologies from private-sector providers (e.g., CompTIA, Coursera). This significantly reduces upfront development costs while ensuring a robust system for managing assessments and credentials.
- Marketing and outreach: A smaller but targeted budget will be allocated for domestic and international outreach to raise awareness of the program. Partnerships with industry and educational institutions will help amplify these efforts, reducing the need for a large marketing budget.
- Grants and partnerships: The program will provide modest grants to universities to support curriculum development, with a focus on fostering partnerships rather than large-scale financial commitments. This allows for more cost-effective collaboration with educational institutions.
- Fellowship programs and international exchanges: The expanded CyberCorps fellowship will begin with a smaller cohort, scaling up based on available funding and demonstrated success. International exchanges will be limited to strategic, high-impact partnerships to ensure cost efficiency while still addressing global cybersecurity needs.
Potential funding sources
Funding for this initiative can be sourced through a variety of channels. First, congressional appropriations via the annual budget process are expected to provide a significant portion of the financial support. Additionally, reallocating existing funds from cybersecurity and workforce development programs could account for approximately 25–35% of the overall budget. This reallocation could include funding from current programs like NICE, SFS, and other workforce development grants, which can be repurposed to support this broader initiative without requiring entirely new appropriations.
Public-private partnerships will also be explored, with potential contributions from industry players who recognize the value of a robust cybersecurity workforce. Grants from federal entities such as DHS, DoD, and NSF are viable options to supplement the program’s financial needs. To offset costs, fees collected from credentialing and training programs could serve as an additional revenue stream.
Finally, the Action Plan and its initiatives will seek contributions from international development funds aimed at capacity-building, as well as financial support from allied nations to aid in the establishment of joint international programs.
Conclusion
Establishing a comprehensive Cyber Workforce Action Plan represents a pivotal move toward securing America’s digital future. By creating flexible, accessible career pathways into cybersecurity, fostering innovative education and training models, and promoting both domestic diversity and international cooperation, this initiative addresses the urgent need for a skilled and resilient cybersecurity workforce.
The impact of this proposal is wide-ranging. It will not only reinforce national security by strengthening the nation’s cyber defenses but also contribute to economic growth by creating high-paying jobs and advancing U.S. leadership in cybersecurity on the global stage. By expanding access to cybersecurity careers and engaging previously underutilized talent pools, this initiative will ensure the workforce reflects the diversity of the nation and is prepared to meet future cybersecurity challenges.
The next administration must make the implementation of this plan a national priority. As cyber threats grow more complex and sophisticated, the nation’s ability to defend itself depends on developing a robust, adaptable, and highly skilled cybersecurity workforce. Acting swiftly to establish this strategy will build a stronger, more resilient digital infrastructure, ensuring both national security and economic prosperity in the 21st century. We urge the administration to allocate the necessary resources and lead the transformation of cybersecurity workforce development. Our digital future—and our national security—demand immediate action.
As cyber threats grow more complex and sophisticated, the nation’s ability to defend itself depends on developing a robust, adaptable, and highly skilled cybersecurity workforce.
For the United States to continue to be a competitive global power in technology and innovation, we need a workforce that understands how to use, apply, and develop new innovations using AI and Data Science.
Students, families and communities want and need more STEM learning experiences to realize the American Dream, and yet they cannot access them. Prioritizing STEM education must be an urgent priority for the federal government and the Department of Education.
The Department of Education must provide guidance for education decision-makers to evaluate AI solutions during procurement, to support EdTech developers to mitigate bias in their applications, and to develop new fairness methods.