Rule2021-17824
Cybersecurity Talent Management System
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
August 26, 2021
Effective
November 15, 2021
Issuing agencies
Homeland Security Department
Abstract
The U.S. Department of Homeland Security (DHS) is establishing a new talent management system to address DHS's historical and ongoing challenges recruiting and retaining individuals with skills necessary to execute DHS's dynamic cybersecurity mission. The Cybersecurity Talent Management System (CTMS) is a mission-driven, person-focused, and market-sensitive approach to talent management. CTMS represents a shift from traditional practices used to hire, compensate, and develop Federal civil service employees and is designed to adapt to changes in cybersecurity work, the cybersecurity talent market, and the Department's cybersecurity mission. CTMS will modernize and enhance DHS's capacity to recruit and retain mission-critical cybersecurity talent. With CTMS, DHS is creating a new type of Federal civil service position, called a qualified position, and the cadre of those positions and the individuals appointed to them is called the DHS Cybersecurity Service (DHS-CS). CTMS will govern talent management for the DHS-CS through specialized practices for hiring, compensation, and development. Individuals selected to join the DHS-CS will be provided with a contemporary public service career experience, which emphasizes continual learning and contributions to DHS cybersecurity mission execution. This rulemaking adds regulations to implement and govern CTMS and the DHS-CS.
Full Text
<html>
<head>
<title>Federal Register, Volume 86 Issue 163 (Thursday, August 26, 2021)</title>
</head>
<body><pre>
[Federal Register Volume 86, Number 163 (Thursday, August 26, 2021)]
[Rules and Regulations]
[Pages 47840-47913]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2021-17824]
[[Page 47839]]
Vol. 86
Thursday,
No. 163
August 26, 2021
Part III
Department of Homeland Security
-----------------------------------------------------------------------
6 CFR Part 158
Cybersecurity Talent Management System; Interim Final Rule
��Federal Register / Vol. 86 , No. 163 / Thursday, August 26, 2021 /
Rules and Regulations��
[[Page 47840]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
6 CFR Part 158
[Docket No. DHS-2020-0042]
RIN 1601-AA84
Cybersecurity Talent Management System
AGENCY: Department of Homeland Security.
ACTION: Interim final rule; request for comments.
-----------------------------------------------------------------------
SUMMARY: The U.S. Department of Homeland Security (DHS) is establishing
a new talent management system to address DHS's historical and ongoing
challenges recruiting and retaining individuals with skills necessary
to execute DHS's dynamic cybersecurity mission. The Cybersecurity
Talent Management System (CTMS) is a mission-driven, person-focused,
and market-sensitive approach to talent management. CTMS represents a
shift from traditional practices used to hire, compensate, and develop
Federal civil service employees and is designed to adapt to changes in
cybersecurity work, the cybersecurity talent market, and the
Department's cybersecurity mission. CTMS will modernize and enhance
DHS's capacity to recruit and retain mission-critical cybersecurity
talent. With CTMS, DHS is creating a new type of Federal civil service
position, called a qualified position, and the cadre of those positions
and the individuals appointed to them is called the DHS Cybersecurity
Service (DHS-CS). CTMS will govern talent management for the DHS-CS
through specialized practices for hiring, compensation, and
development. Individuals selected to join the DHS-CS will be provided
with a contemporary public service career experience, which emphasizes
continual learning and contributions to DHS cybersecurity mission
execution. This rulemaking adds regulations to implement and govern
CTMS and the DHS-CS.
DATES: This rule is effective on November 15, 2021. Comments must be
received on or before December 31, 2021.
ADDRESSES: You may submit comments, identified by docket number DHS-
2020-0042, using the Federal rulemaking portal at <a href="http://www.regulations.gov">http://www.regulations.gov</a>. For instructions on submitting comments, see the
``Public Participation and Request for Comments'' portion of the
Supplementary Information section of this document.
FOR FURTHER INFORMATION CONTACT: Technical information: Mr. Travis
Hoadley, Department of Homeland Security, Office of the Chief Human
Capital Officer: telephone 202-357-8700, email <a href="/cdn-cgi/l/email-protection#fbb8afb6a8bb938ad59f9388d59c948d"><span class="__cf_email__" data-cfemail="3c7f68716f7c544d1258544f125b534a">[email protected]</span></a>. Legal
information: Ms. Esa Sferra-Bonistalli, Department of Homeland
Security, Office of the General Counsel: telephone 202-357-8700, email
<a href="/cdn-cgi/l/email-protection#0241564f51426a732c666a712c656d74"><span class="__cf_email__" data-cfemail="7536213826351d045b111d065b121a03">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Executive Summary
A. CTMS Elements
B. Administering CTMS & Managing the DHS-CS
C. New 6 CFR Part 158
D. Costs and Benefits
II. Basis and Purpose
III. Background
A. Authority for a New Cybersecurity Talent Management System
1. Designate & Establish Qualified Positions
2. Appointment
3. Compensation
(a) Comparable Positions
(b) Basic Pay
(i) Rates of Pay and Pay Ranges
(ii) Limitations on Maximum Rates and Pay Caps
(c) Additional Compensation
(i) Consistent With
(ii) The Level Authorized
B. Need for a New Approach to Cybersecurity Talent Management
1. Ever-Evolving Nature of Cybersecurity Work Requires a Focus
on the Individual
2. Outdated, Rigid Position Classification Inadequately
Describes Cybersecurity Work
3. Generic, Inflexible Compensation Limits Ability To Compete
for Cybersecurity Talent
IV. Discussion of the Rule
A. New Approach to Talent Management: Subparts A & B
1. Subpart A--General Provisions
(a) A New Type of Position: Qualified Positions
(b) A New Definition of ``Qualifications''
(c) Other Definitions
(d) Authority & Policy Framework
2. Subpart B--DHS Cybersecurity Service
(a) Mission
(b) Qualified Positions
(c) DHS-CS Employees
(d) DHS-CS Assignments
B. CTMS and DHS-CS Leadership: Subpart C
1. Leaders
2. Principles, Priorities, and Core Values
C. Strategic Talent Planning: Subpart D
1. DHS-CS Cybersecurity Work & CTMS Qualifications
Identification
2. CTMS Talent Market Analysis
3. CTMS Work Valuation & Work and Career Structures
4. Informing CTMS Administration and DHS-CS Management
D. Acquiring Talent: Subpart E
1. CTMS Talent Acquisition System
2. Strategic Recruitment
3. Qualifications-Based Assessment, Selection & Appointment
(a) CTMS Assessment Program
(b) DHS-CS Appointments
E. Compensating Talent: Subpart F
1. CTMS Compensation System
2. DHS-CS Employee Compensation
3. CTMS Salary System
(a) CTMS Salary Range
(b) CTMS Salary Structure
(c) CTMS Local Cybersecurity Talent Market Supplement
(d) CTMS Salary Administration
4. CTMS Recognition
(a) CTMS Recognition Payments
(b) CTMS Recognition Time-Off
(c) CTMS Honorary Recognition
5. Other Special Payments Under CTMS
(a) CTMS Professional Development and Training
(b) CTMS Student Loan Repayments
(c) CTMS Special Work Conditions Payments
(d) CTMS Allowances in Nonforeign Areas
6. Other Compensation Provided in Accordance With OPM
Regulations
7. CTMS Aggregate Compensation Limit
F. Deploying Talent: Subpart G
1. CTMS Deployment Program
2. Designating Qualified Positions
3. Designating and Staffing Assignments
4. Official Worksite
5. Work Scheduling
6. DHS-CS Recordkeeping
7. Details and Opportunities Outside of the DHS-CS
G. Developing Talent: Subpart H
1. CTMS Performance Management Program
2. CTMS Career Development Program
H. Federal Employee Rights and Requirements & Advisory
Appointments: Subparts I & J
1. Subpart I--Employee Rights, Requirements, and Input
2. Subpart J--Advisory Appointments
V. Appendix: Reference Materials
VI. Public Participation and Request for Comments
VII. Statutory and Regulatory Requirements
A. Executive Orders 12866 (Regulatory Planning and Review) and
13563 (Improving Regulation and Regulatory Review)
1. Background and Purpose
2. CTMS Costs: Designing, Establishing, and Administering CTMS
3. CTMS & DHS-CS Costs: Compensating and Retaining DHS-CS
Employees
4. CTMS & DHS-CS Benefits: Enhancing the Cybersecurity of the
Nation
B. Regulatory Flexibility Act
C. Congressional Review Act
D. Unfunded Mandates Reform Act
E. E.O. 13132 (Federalism)
F. E.O. 12988 (Civil Justice Reform)
G. E.O. 13175 (Consultation and Coordination With Indian Tribal
Governments)
H. National Environmental Policy Act
I. National Technology Transfer and Advance Act
J. E.O. 12630 (Governmental Actions and Interference With
Constitutionally Protected Property Rights)
[[Page 47841]]
K. E.O. 13045 (Protection of Children From Environmental Health
Risks and Safety Risks)
L. E.O. 13211 (Actions Concerning Regulations That Significantly
Affect Energy Supply, Distribution, or Use)
M. Paperwork Reduction Act
Table of Abbreviations
APA--Administrative Procedure Act
CFR--Code of Federal Regulations
CISA--Cybersecurity and Infrastructure Security Agency
CRA--Congressional Review Act
CTMB--Cybersecurity Talent Management Board
CTMS--Cybersecurity Talent Management System
DHS--Department of Homeland Security
DHS-CS--DHS Cybersecurity Service
DHS OCIO--DHS Office of the Chief Information Officer
DOD--Department of Defense
DOD CES--Department of Defense's Cybersecurity Excepted Service
DOD DCIPS--Department of Defense's Civilian Intelligence Personnel
System
DOD HQE--DOD Highly Qualified Experts
E.O.--Executive Order
EX--Executive Schedule
FLSA--Fair Labor Standards Act
GAO--Government Accountability Office
GS--General Schedule
HSAC--Homeland Security Advisory Council
IC--Intelligence Community
IC HQE--Intelligence Community Highly Qualified Experts
LCTMS--Local Cybersecurity Talent Market Supplement
OMB--Office of Management and Budget
OPM--Office of Personnel Management
SES--Senior Executive Service
SL/ST--Senior Level/Scientific or Professional
STRL--Scientific and Technology Reinvention Laboratories
Sec. --Section
U.S.C.--United States Code
I. Executive Summary
For more than a decade, the U.S. Department of Homeland Security
(DHS) has encountered challenges recruiting and retaining mission-
critical cybersecurity talent. To address those challenges, DHS has re-
envisioned Federal civilian talent management for 21st-century
cybersecurity work by designing an innovative approach to talent
management: The Cybersecurity Talent Management System (CTMS). DHS is
establishing CTMS under the authority in section 658 of Title 6 of the
United States Code (U.S.C.), which authorizes DHS to create a new
approach to talent management exempt from major portions of existing
laws governing talent management for much of the Federal civil service.
CTMS is mission-driven, person-focused, and market-sensitive, and
it features several interrelated elements, based on leading public and
private sector talent management practices. Importantly, CTMS is also
based on core Federal talent management principles related to upholding
merit, prohibiting certain personnel practices, advancing equity, and
providing equal employment opportunity. CTMS is designed to modernize
and enhance DHS's capacity to recruit and retain individuals with the
skills, called qualifications, necessary to execute the DHS
cybersecurity mission. CTMS is also designed to adapt to changes in
cybersecurity work, the cybersecurity talent market, and the DHS
cybersecurity mission, even as technology, sought-after expertise, and
work arrangements change.
With CTMS, DHS is creating a new type of Federal civil service
position in the excepted service, called a qualified position.
Qualified positions focus on individuals and individuals'
qualifications. The cadre of qualified positions and the individuals
appointed to them is called the DHS Cybersecurity Service (DHS-CS). The
goal of the DHS-CS is to enhance the cybersecurity of the Nation
through the most effective execution of the DHS cybersecurity mission.
DHS will use CTMS to hire, compensate, and develop DHS-CS employees to
reinforce the values of expertise, innovation, and adaptability.
CTMS will also provide DHS-CS employees with a contemporary public
service career experience, which emphasizes continual learning and
contributions to DHS cybersecurity mission execution.
A. CTMS Elements
To recruit and retain DHS-CS employees, CTMS features interrelated
elements that are new processes, systems, and programs that implement
new talent management concepts and definitions. Each CTMS element
represents a shift from the traditional methods and practices Federal
agencies typically use to hire, compensate, and develop civil service
talent. Collectively, the CTMS elements form a complete approach to
talent management and enable new, specialized talent management
practices. CTMS is driven by the DHS cybersecurity mission and informed
by internal data about the state of DHS cybersecurity work and talent;
it is also informed by external data about trends in the field of
cybersecurity and the talent market.
The CTMS elements and their purposes are:
<bullet> Strategic talent planning process enables CTMS to adapt to
changes in cybersecurity work, the cybersecurity talent market, and the
DHS cybersecurity mission by aggregating and using relevant information
to inform CTMS administration on an ongoing basis. As part of the
strategic talent planning process, DHS:
[cir] Identifies the set of qualifications necessary to perform the
work required to execute the DHS cybersecurity mission.
[cir] conducts analysis of the cybersecurity talent market to
identify and monitor employment trends and leading strategies for
recruiting and retaining cybersecurity talent.
[cir] establishes and administers a work valuation system based on
qualifications and DHS cybersecurity work, which DHS uses instead of
the General Schedule (GS) or other traditional Federal position
classification methods to facilitate systematic talent management and
addresses internal equity.
<bullet> Talent acquisition system supports qualifications-based
recruitment, assessment, selection, and appointment of DHS-CS
employees.
<bullet> Compensation system provides sufficiently competitive,
market-sensitive compensation, while encouraging and recognizing DHS-CS
employee contributions, such as exceptional qualifications and mission
impact.
<bullet> Deployment program guides when DHS uses CTMS to recruit
and retain talent and operationalizes aspects of the work valuation,
talent acquisition, and compensation systems through requirements for
designating qualified positions, designating and staffing assignments,
work scheduling, and recordkeeping.
<bullet> Performance management program seeks to improve the
effectiveness of DHS-CS employees in executing the cybersecurity
mission by ensuring individual accountability and recognizing their
mission impact.
<bullet> Career development program ensures the development of the
collective expertise of DHS-CS employees through continual learning,
while guiding the career progression of each DHS-CS employee.
The CTMS elements rely on new talent management concepts and
definitions:
<bullet> Work and career structures, are constructs, analogous to
General Schedule classes and grades, that DHS establishes under the
CTMS work valuation system and uses instead of classes and grades from
the General Schedule or other traditional Federal position
classification methods. DHS uses work and career structures to support
several elements of CTMS,
[[Page 47842]]
including the compensation system, and DHS determines applicable work
and career structures for a DHS-CS employee as part of selection and
appointment under the CTMS talent acquisition system.
<bullet> Mission impact is the influence an individual has on the
execution of the DHS cybersecurity mission by applying qualifications
to perform DHS cybersecurity work. DHS determines a DHS-CS employee's
mission impact through mission impact reviews under the CTMS
performance management program. Mission impact is a factor in DHS-CS
employee compensation and development.
<bullet> Mission-related requirements are characteristics of an
individual's expertise or characteristics of cybersecurity work, or
both, that are associated with successful execution of the DHS
cybersecurity mission. They are determined by officials with
appropriate decision-making authority and are a factor in DHS-CS
employee compensation, assignment matches, and development.
<bullet> Strategic talent priorities are priorities for CTMS and
the DHS-CS set by the Secretary or the Secretary's designee. Strategic
talent priorities are used in administering CTMS and managing the DHS-
CS.
B. Administering CTMS & Managing the DHS-CS
The Secretary, or the Secretary's designee, leads CTMS and the DHS-
CS with assistance from the Cybersecurity Talent Management Board
(CTMB). The CTMB comprises DHS officials representing organizations
involved in executing the DHS cybersecurity mission and DHS officials
responsible for developing and administering talent management policy.
Working together, these officials ensure the most efficient operation
of CTMS and the most effective management of the DHS-CS. The Secretary,
or the Secretary's designee, and the CTMB administer CTMS and manage
the DHS-CS.
The dynamic DHS cybersecurity mission drives CTMS. On an ongoing
basis, DHS identifies the functions that execute the DHS cybersecurity
mission, the cybersecurity work required by those functions, and the
set of qualifications necessary to perform that work. The work
identified is called DHS-CS work, and the set of qualifications
identified are called CTMS qualifications. Under CTMS, qualifications
are individuals' cybersecurity skills, which encompass the full array
of work-related characteristics and qualities that distinguish talent.
Qualifications are the core of CTMS and its elements, and on an
ongoing basis, DHS updates the set of CTMS qualifications to ensure
they continue to reflect the collective cybersecurity expertise DHS
requires. DHS establishes work and career structures based on CTMS
qualifications, and DHS creates qualified positions based on DHS-CS
employees' CTMS qualifications. DHS-CS employees execute the DHS
cybersecurity mission by applying their CTMS qualifications to perform
DHS-CS cybersecurity work. In administering CTMS to recruit and retain
DHS-CS employees, DHS emphasizes individuals' CTMS qualifications and
their mission impact.
DHS uses CTMS, instead of another Federal personnel system, when a
DHS organization requires talent with CTMS qualifications and DHS
determines that the recruitment and retention of such talent would be
enhanced by the specialized practices of CTMS.
All individuals interested in serving in the DHS-CS must apply, and
DHS proactively recruits individuals at all career stages, from those
just beginning a career in cybersecurity to those with years of proven
experience working as a cybersecurity technical expert or
organizational leader. Recruitment includes proactively communicating
with prospective applicants about DHS's unique cybersecurity mission
and available public service career opportunities in the DHS-CS.
DHS assesses applicants using standardized instruments and
procedures intended to determine the applicants' CTMS qualifications.
DHS selects an individual based on the individual's CTMS
qualifications.
DHS may appoint a selected individual to a renewable appointment or
continuing appointment. A renewable appointment is time-limited, may be
renewed multiple times, and may be used for project-based work or other
similar purposes. A continuing appointment is not time-limited. The
DHS-CS can also include political appointees, called advisory
appointees. Regardless of appointment type, new DHS-CS employees are
matched with initial assignments based on mission needs and their CTMS
qualifications upon appointment.
Compensation for DHS-CS employees includes salaries and additional
compensation. DHS provides such compensation in alignment with a CTMS
compensation strategy aimed at ensuring sufficiently competitive
compensation to recruit and retain the cybersecurity expertise DHS
requires. Under CTMS, compensation is based primarily on CTMS
qualifications, and DHS has necessary flexibility to adjust aspects of
compensation based on market and mission demands.
DHS provides salaries for DHS-CS employees under a market-sensitive
salary structure bounded by an overall salary range. This salary range
is comprised of a standard range and an extended range for use in
limited circumstances. A DHS-CS employee's salary may include a local
cybersecurity talent market supplement, analogous to a locality-based
comparability payment, to ensure a competitive salary in certain
geographic areas.
DHS provides additional compensation for DHS-CS employees mainly in
the form of recognition, which includes salary increases called
recognition adjustments, cash bonuses called recognition payments, paid
time-off called recognition time-off, and honorary awards called
honorary recognition. Such recognition is based primarily on DHS-CS
employees' mission impact.
CTMS additional compensation also includes payments for special
working conditions, which DHS can use to compensate a DHS-CS employee
for special working conditions that are determined to be insufficiently
accounted for in the employee's salary. For example, such conditions or
circumstances include performing certain work involving unusual
physical or mental hardship, at unexpected times, or for an uncommon
duration of time. Other types of additional compensation available to
DHS-CS employees are similar to or the same as existing offerings for
many Federal employees: Professional development and training, student
loan repayments, allowances in nonforeign areas, as well as traditional
Federal employee benefits like holidays, leave, retirement, health
benefits, and insurance programs.
Throughout DHS-CS employees' service, DHS considers increasing
employees' compensation based primarily on their mission impact.
Compensation increases occur mainly through CTMS recognition as either
recognition adjustments or recognition payments. CTMS does not feature
automatic salary increases or payments; moreover, longevity in position
or prior Federal government service are not factors in CTMS
compensation.
Each DHS-CS employee's salary is subject to salary limitations, and
each DHS-CS employee's aggregate compensation, composed of the
employee's salary and certain types of additional compensation, is
subject to an aggregate compensation limit. These salary limitations
and the aggregate compensation limit implement statutory
[[Page 47843]]
requirements from the authority for CTMS in 6 U.S.C. 658.
Career progression in the DHS-CS is based on enhancement of CTMS
qualifications and salary progression resulting from recognition
adjustments. DHS guides a DHS-CS employee's career and ensures
development of the collective expertise of DHS-CS employees through
continual learning, which may include a range of recommended and
required learning activities. Continual learning and enhancement of
CTMS qualifications are integral to a DHS-CS employee's service in the
DHS-CS. New assignment opportunities may be an important part of DHS-CS
employees' continual learning and enhancement of CTMS qualifications.
Through such assignments, DHS-CS employees are able to learn and
perform different types of DHS-CS cybersecurity work and customize
contemporary career experiences that maximize both their qualifications
and their impact on the DHS cybersecurity mission.
C. New 6 CFR Part 158
This rulemaking adds new part 158 to Title 6 of the Code of Federal
Regulations (CFR) to implement and govern CTMS and the DHS-CS. New part
158 contains several subparts setting forth the interrelated elements
of CTMS that function together as a complete, and innovative, approach
to talent management.
D. Costs and Benefits
From FY 2016 through FY 2020, DHS received approximately $49
million of appropriated funding to design and establish CTMS and the
resulting DHS-CS. The major costs of CTMS and the DHS-CS are: (1) The
cost of talent management infrastructure necessary for the Office of
the Chief Human Capital Officer (OCHCO) to design, establish, and
prepare to administer CTMS; and (2) the cost of compensating DHS-CS
employees hired by DHS organizations using CTMS.
In FY 2021, OCHCO received approximately $13 million of
appropriated funding to both finalize the design of CTMS and to
establish CTMS. For FY 2022, DHS requested that funding be increased to
approximately $16 million both to launch and administer CTMS and to
support the management of an expanding population of DHS-CS employees.
The primary benefit of this rule is to ensure the most effective
execution of the DHS cybersecurity mission by establishing CTMS to
enhance DHS's capacity to recruit and retain cybersecurity talent in
the new DHS-CS.
This rulemaking does not directly regulate the public.
II. Basis and Purpose
On December 18, 2014, Congress added a new section to the Homeland
Security Act of 2002 entitled ``Cybersecurity Recruitment and
Retention.'' This new section is codified at 6 U.S.C. 658 and grants
the Secretary broad authority and discretion to create a new personnel
or talent management system for DHS's cybersecurity workforce. The
exercise of this authority and discretion is exempt from major portions
of existing laws governing talent management for much of the Federal
civil service.\1\ This exemption allows DHS to re-envision talent
management for 21st-century cybersecurity work.
---------------------------------------------------------------------------
\1\ 6 U.S.C. 658(b)(1)(B).
---------------------------------------------------------------------------
This rule implements 6 U.S.C. 658 and establishes a new talent
management system designed based on DHS's dynamic cybersecurity
mission. Use of the new system addresses DHS's historical and ongoing
challenges recruiting and retaining mission-critical cybersecurity
talent.
To implement the authority in 6 U.S.C. 658, Congress requires the
Secretary ``shall prescribe regulations'' and to do so in coordination
with the Director of the Office of Personnel Management (OPM).\2\ This
rulemaking fulfills the requirement to prescribe regulations. To
fulfill the requirement to coordinate with the Director of OPM, DHS
engaged with OPM experts for assistance in understanding the talent
management concepts invoked by the language of 6 U.S.C. 658 and to
obtain feedback on DHS's design for the new talent management system.
---------------------------------------------------------------------------
\2\ 6 U.S.C. 658(b)(6).
---------------------------------------------------------------------------
DHS is promulgating this rule as an interim final rule because it
is a matter relating to agency management or personnel that is exempt
from the rulemaking requirements of the Administrative Procedure Act
(APA). Rulemaking requirements of the APA include issuing a notice of
proposed rulemaking, providing an opportunity for public comment, and
an effective date not less than 30 days after publication of the
rule.\3\ These requirements, however, do not apply to ``a matter
relating to agency management or personnel or to public property,
loans, grants, benefits, or contracts.'' \4\ The Attorney General's
Manual on the Administrative Procedure Act describes this exemption as
one of two ``broad exceptions'' to APA rulemaking requirements,\5\ and
further characterizes the agency management or exemption as ``self-
explanatory.'' \6\ Similar to the Attorney General's Manual
characterization, Federal courts have interpreted the agency management
exemption as applying to traditional personnel matters, such as a new
personnel system, personnel manuals, and personnel policies.\7\
---------------------------------------------------------------------------
\3\ 5 U.S.C. 553(b)-(d).
\4\ 5 U.S.C. 553(a)(2).
\5\ Attorney General's Manual on the Administrative Procedure
Act, 26. The other broad exemption in the APA, as amended, is for
``any military or foreign affairs function of the United States''
under 5 U.S.C. 553(a)(1).
\6\ Id. at 27.
\7\ See, e.g., Brodowy v. U.S., 482 F.3d 1370, 1375-76 (Fed.
Cir. 2007) (finding an agency's new personnel management system to
be a matter relating to agency management or personnel and exempt
from the APA's procedural requirements); Hamlet v. U.S., 63 F.3d
1097, 1105 (Fed. Cir. 1995) (holding that an agency personnel manual
governing all phases of personnel management relates to matters of
agency personnel, and its promulgation was exempt from the APA's
procedural requirements); Stewart v. Smith, 673 F.2d 485, 496-500
(D.C. Cir. 1982) (holding that an agency's hiring policy falls
within the APA exception for agency management or personnel).
---------------------------------------------------------------------------
Although this rulemaking is exempt from the rulemaking requirements
of the APA, DHS is seeking public comments on the innovative talent
management system. Interested persons are invited to participate in
this rulemaking by submitting written comments as described in VI.
Public Participation and Request for Comments of this document.
III. Background
Cybersecurity is a matter of homeland security and one of the core
missions of DHS. For more than a decade, DHS has encountered challenges
recruiting and retaining mission-critical cybersecurity talent. As
cybersecurity threats facing the Nation have grown in volume and
sophistication, DHS has experienced spikes in attrition and
longstanding vacancies in some cybersecurity positions, as well as
shortages of certain critical and emerging cybersecurity skills.
In response to DHS's historical and ongoing challenges recruiting
and retaining cybersecurity talent, Congress granted the Secretary the
authority in 6 U.S.C. 658 to ensure DHS improves its ability to recruit
and retain mission-critical cybersecurity talent. Legislative history
indicates that Congress granted the authority in 6 U.S.C. 658 in
response to a report by the Secretary's Homeland Security Advisory
Council (HSAC) recommending DHS receive additional talent management
flexibilities similar
[[Page 47844]]
to those used by the National Security Agency.\8\ The HSAC report
linked DHS's recruitment and retention challenges to a global shortage
of cybersecurity expertise and fierce competition among Federal
agencies and the private sector for cybersecurity skills.\9\
---------------------------------------------------------------------------
\8\ S. Rep. 113-207, Report of the Committee on Homeland
Security and Governmental Affairs, U.S. Senate, to accompany S.
2354, ``To Improve Cybersecurity Recruitment and Retention,'' (July
14, 2014), 2-3 (``The [Homeland Security Advisory] Council also made
a recommendation to Congress: `Congress should grant the Department
[of Homeland Security] human capital flexibilities in making salary,
hiring, promotion and separation decisions identical to those used
by the National Security Agency for hiring and managing its
cybersecurity workforce and other technical experts.' This bill
seeks to do just that: It gives the Secretary of Homeland Security
similar recruitment and retention authorities for cybersecurity
professional as currently possessed by the Secretary of Defense'').
Note that S. 2354 is a previous bill, the language of which is now
codified at 6 U.S.C. 658.
\9\ Homeland Security Advisory Council, U.S. Department of
Homeland Security, CyberSkills Task Force Report (Fall 2012).
---------------------------------------------------------------------------
The language codified at 6 U.S.C. 658 mirrors the language in 10
U.S.C. 1601-1603, enacted in 1996 for the Department of Defense (DOD),
that authorizes DOD's Defense Civilian Intelligence Personnel System
(DOD DCIPS).\10\ In addition, the language codified at 6 U.S.C. 658 is
similar to a separate DOD authority, enacted a year after Sec. 658,
and under which DOD has established the DOD Cybersecurity Excepted
Service (DOD CES) personnel system for its United States Cyber Command
workforce.\11\
---------------------------------------------------------------------------
\10\ National Defense Authorization Act for Fiscal Year 1997
Public Law 104-201, Sec. 1632 (Sept. 23, 1996), codified at 10
U.S.C. 1601-1614.
\11\ National Defense Authorization Act for Fiscal Year 2016.
Public Law 114-92, Sec. 1107 (Nov. 25, 2015), codified at 10 U.S.C.
1599f.
---------------------------------------------------------------------------
Once granted the authority to create a new cybersecurity talent
management system free from existing requirements and practices
governing Federal talent management, DHS formed a specialized team in
early 2016 to design a new cybersecurity talent management system
capable of addressing DHS's recruitment and retention challenges. Based
on the authority in 6 U.S.C. 658 and DHS's understanding of both the
cybersecurity talent landscape and existing Federal talent management
practices, DHS concluded it could--and it must--re-envision talent
management for 21st-century cybersecurity work. As outlined in required
reports to Congress \12\ about DHS's plan for and progress toward
execution of the authority granted in 6 U.S.C. 658, DHS is using this
authority to create an innovative, 21st-century talent management
system with solutions for its cybersecurity workforce recruitment and
retention challenges.\13\ This rule establishes the new talent
management system, which is based on leading public and private sector
talent management practices and driven by the DHS cybersecurity
mission.
---------------------------------------------------------------------------
\12\ See 6 U.S.C. 658(b)(4) and 658(c).
\13\ U.S. Department of Homeland Security, Plan for Execution of
Authorities: Fiscal Year 2015 Report to Congress, (May 3, 2016);
U.S. Department of Homeland Security, Annual Report: Usage of
Cybersecurity Human Capital Authorities Granted by 6 United States
Code Sec. 147, (May 3, 2016); U.S. Department of Homeland Security,
Annual Report: Usage of Cybersecurity Human Capital Authorities
Granted by 6 United States Code Sec. 147, (Apr.4, 2017); U.S.
Department of Homeland Security, Comprehensive Cybersecurity
Workforce Update: FY2018-2019 (July 2020).
---------------------------------------------------------------------------
A. Authority for a New Cybersecurity Talent Management System
The authority in 6 U.S.C. 658 allows DHS to create a new talent
management system exempt from many existing laws governing Federal
civilian talent management. Specifically, the Secretary may designate
and establish ``qualified positions'' in the excepted service, appoint
individuals to those positions, and compensate appointed individuals.
See 6 U.S.C. 658(b)(1)(A). The Secretary may do this ``without regard
to the provisions of any other law relating to the appointment, number,
classification, or compensation of employees.'' See 6 U.S.C.
658(b)(1)(B). The ``without regard to'' language supersedes all other
laws governing appointment, number, classification, or compensation of
employees.\14\
---------------------------------------------------------------------------
\14\ See e.g. Cisneros v. Alphine Ridge Group, 508 U.S. 10
(1993) (construing the use of a ``notwithstanding'' clause, which is
similar to the ``without regard to'' clause in 5 U.S.C.
658(b)(1)(B), as superseding all other laws).
---------------------------------------------------------------------------
The language of 6 U.S.C. 658 uses terms that invoke fundamental
talent management concepts. Importantly, the exemption from
classification means that DHS can choose how to describe cybersecurity
work, including by establishing new constructs to categorize work and
new ways of defining positions performing such work, and relatedly, DHS
can choose how to value cybersecurity work and positions, including
through new compensation structures and practices. DHS has interpreted
the authority in 6 U.S.C. 658, as necessary, to fulfill the
congressional intent in the legislative history: That DHS address its
cybersecurity workforce recruitment and retention challenges and
improve its capacity to compete for top cybersecurity talent by
exercising greater discretion in hiring and compensating cybersecurity
talent.\15\
---------------------------------------------------------------------------
\15\ See S. Rep. 113-207, Report of the Committee on Homeland
Security and Governmental Affairs, U.S. Senate, to accompany S.
2354, ``To Improve Cybersecurity Recruitment and Retention,'' (July
14, 2014), 1 (stating that the language is now codified at 6 U.S.C.
658, ``would enable DHS to better compete for cybersecurity talent
by giving the Secretary of Homeland Security greater discretion than
currently possessed when hiring and setting the pay and benefits of
DHS cybersecurity employees.''). Also see remarks in the
Congressional Record indicating that 6 U.S.C. 658 grants the
Secretary talent management flexibilities to better recruit and
retain top cybersecurity talent with a faster and more flexible
hiring process and more competitive compensation. 160 Cong. Rec.
H8945, 8950 (Ms. Norton: ``An amendment introduced by Senator Carper
also would add provisions allowing the Department of Homeland
Security to recruit and retain cyber professionals by granting
authority to hire qualified experts on an expedited basis and to pay
them competitive salaries, wages, and incentives''); 160 Cong. Rec.
H8945, 8951 (Ms. Clarke: ``The cyber workforce language included in
S. 1691 generally does two important things. First, it grants
special hiring authority to DHS to bring on board topnotch cyber
recruits. The Department desperately needs a more flexible hiring
process with incentives to secure talent in today's highly
competitive cyber skills market. Second, it requires the Secretary
of the Department to assess its cyber workforce'').
---------------------------------------------------------------------------
Although DHS has authority to create a new talent management system
free from existing requirements in other laws governing appointment,
number, classification, and compensation of Federal employees, Congress
provided a few requirements and parameters for exercising that
authority. The following discussion in III.A.1 through III.A.3 of this
document explains the scope of the Secretary's authority to create a
new talent management system.
1. Designate & Establish Qualified Positions
Under 6 U.S.C. 658, DHS has authority to both designate and
establish qualified positions. Section 658(a)(5) defines ``qualified
position'' as ``a position, designated by the Secretary for the purpose
of this section, in which the incumbent performs, manages, or
supervises functions that execute the responsibilities of the
Department relating to cybersecurity.'' Section 658(b)(1)(A)(i) gives
authority to ``establish'' qualified positions and describes qualified
positions as positions in the excepted service that the Secretary
determines necessary to carry out the responsibilities of the
Department relating to cybersecurity. The authority to designate
qualified positions includes determining the purpose and use of such
qualified positions, as the Secretary determines necessary, for
executing DHS's cybersecurity responsibilities.\16\ The authority to
establish qualified positions
[[Page 47845]]
is authority to create qualified positions in the excepted service to
carry out DHS's cybersecurity responsibilities.\17\
---------------------------------------------------------------------------
\16\ ``Designate'' means ``to indicate and set apart for a
specific purpose, office, or duty,'' ``to point out the location
of,'' ``to distinguish as to class,'' or ``specify, stipulate.''
Merriam-Webster, <a href="https://www.merriam-webster.com/dictionary/designate">https://www.merriam-webster.com/dictionary/designate</a> (last visited May 25, 2021).
\17\ Legislative history indicates that the authority to
``establish'' positions means to ``create new positions.'' In a
report accompanying S. 2354, the language of which is now codified
at 6 U.S.C. 658, Congress states that ``the Secretary of Defense may
create new positions for cyber personnel'' and references DOD DCIPS
authority at 10 U.S.C. 1601-1603. S. Rep. 113-207, Report of the
Committee on Homeland Security and Governmental Affairs, U.S.
Senate, to accompany S. 2354, ``To Improve Cybersecurity Recruitment
and Retention,'' (July 14, 2014), 2. In 10 U.S.C. 1601, Congress
grants the Secretary of Defense authority to ``establish, as
positions in the excepted service, such defense intelligence
positions in the Department of Defense as the Secretary determines
necessary to carry out the intelligence functions of the
Department.''
---------------------------------------------------------------------------
The authority to designate and establish qualified positions
applies without regard to any other provisions of law relating to the
number or classification of employees.\18\ In the U.S. Code, provisions
of law relating to the number of employees may limit the number of
positions, or types of positions, or limit the number of employees that
may be hired into such positions.\19\ Thus, DHS is not limited in the
number of qualified positions the Secretary may designate and
establish, except by funding constraints and requirements in
appropriations for DHS.
---------------------------------------------------------------------------
\18\ 6 U.S.C. 658(b)(1)(B). The authority to designate and
establish qualified positions also applies without regard to any
other provisions of law relating to appointment or compensation of
employees.
\19\ See e.g., 5 U.S.C. 3131(c) (``The Office of Personnel
Management, in consultation with the Office of Management and
Budget, shall review the request of each agency and shall authorize
. . . a specific number of Senior Executive Service positions for
each agency''); see also the Federal Employees Pay Act of 1945, Sec.
607 (controlling the number of employees and establishing personnel
ceilings within executive branch agencies), repealed Public Law 81-
784 (Sept. 1950).
---------------------------------------------------------------------------
Under the exemption relating to classification of employees,\20\
DHS is exempt from the General Schedule (GS) position classification
system as well as other work valuation systems relying on traditional
position classification concepts and methods. ``Classification''
generally is a systematic process of job or work valuation used to
describe and value jobs or work and individuals within an
organization.\21\ In the Federal civil service context, classification
most often refers to the GS position classification system, which is
the job evaluation system codified at 5 U.S.C. Chapter 51. Chapter 51
provides a definition of the term ``position'' that means ``the work,
consisting of the duties and responsibilities, assignable to an
employee.'' \22\ Under the GS position classification system, positions
are grouped into classes \23\ and grades \24\ based on duties,
responsibilities, and qualification requirements.\25\ Traditional
Federal position classification systems based on Chapter 51, including
the GS, provide job structures, such as classes and grades, that
meaningfully group positions to facilitate systematic management of
Federal civilian employees and address internal equity. With the GS or
other similar position classification systems, those job structures
influence many aspects of talent management, especially compensation,
for positions under those systems and employees in those positions.\26\
---------------------------------------------------------------------------
\20\ 6 U.S.C. 658(b)(1)(B).
\21\ See Robert L. Heneman, Ph.D., Work Evaluation: Strategic
Issues and Alternative Methods, prepared for the U.S. Office of
Personnel Management, FR-00-20 (July 2000, Revised Feb. 2002), 2-3
and 11.
\22\ 5 U.S.C. 5102(3).
\23\ A ``class'' includes all positions ``sufficiently similar''
regarding ``kind or subject-matter of work; level of difficulty and
responsibility; and the qualifications requirements of the work; to
warrant similar treatment in personnel and pay administration.'' 5
U.S.C. 5102(a)(4).
\24\ A ``grade'' includes all classes of position that,
``although different with respect to the kind of subject-matter of
work, are sufficiently equivalent as to--level of difficulty and
responsibility, and level of qualification requirements of the work;
to warrant their inclusion within one range of rates of basic pay in
the General Schedule.'' 5 U.S.C. 5102(a)(5).
\25\ 5 U.S.C. 5101(2) (requiring grouping of positions into
classes and grades based on duties, responsibilities, and
qualification requirements).
\26\ U.S. Government Accountability Office, Human Capital: OPM
Needs to Improve the Design, Management, and Oversight of the
Federal Classification System, GAO-14-677 (July 2014), 4-6.
---------------------------------------------------------------------------
Under the exemption relating to classification of employees,\27\
DHS is exempt from the definition of ``position'' under the GS position
classification system and other job or work valuation systems, and how
the concept of ``position'' is used under those systems. Section 658
defines and describes qualified positions as positions designated and
established by the Secretary as the Secretary determines necessary, and
both the definition and description of qualified positions use the
general, stand-alone term ``position.'' \28\ In the U.S. Code, that
term does not have a universal meaning or a specific meaning in the
excepted service; instead the U.S. Code contains multiple definitions
of the term ``position'' for specific purposes.\29\
---------------------------------------------------------------------------
\27\ 6 U.S.C. 658(b)(1)(B).
\28\ 6 U.S.C. 658(a)(5) and (b)(1)(A)(i).
\29\ Title 5 of the U.S. Code alone contains multiple
definitions of the term position for purposes of specific Chapters,
sections, or subsections. The multiple definitions in Title 5
describe ``position'' as duties and responsibilities of a position,
types of position, and specific positions occupiable by individuals.
See e.g., 5 U.S.C. 5102(a)(3) (defining ``position'' for purposes of
the General Schedule to mean ``the work, consisting of duties and
responsibilities, assignable to an employee''); 5 U.S.C. 5304(h)(1)
(defining ``position'' for purposes of a particular provision
regarding locality-based comparability payments as types of
positions, including administrative law judges, contract appeals
board members, and SES positions); 5 U.S.C. 5531(2) (defining
positions for purposes of applying dual pay provisions as a specific
position occupiable by an individual, such as a civilian office or
civilian positions, including a temporary, part-time, or
intermittent position, that is appointive or elective in the
legislative, executive, or judicial branch).
---------------------------------------------------------------------------
The authority to designate and establish qualified positions and
the exemptions from existing laws provides the Secretary broad
discretion to determine how to create and use qualified positions for
purposes of carrying out the responsibilities of DHS relating to
cybersecurity. In particular, the exemption relating to classification
of employees means DHS may determine the use of qualified positions and
create such positions as new positions in the excepted service without
regard to existing definitions of positions, or how the concept of
position is currently used, in management of Federal employees.
As discussed subsequently in III.B of this document, main factors
contributing to DHS's challenges recruiting and retaining cybersecurity
talent are the focus of existing Federal talent management practices on
narrowly-defined and mostly-static jobs or positions instead of
individuals and their skills, as well as the inability of current
Federal classification methods to effectively describe and account for
individuals' cybersecurity skills. Therefore, as discussed further in
IV.A.1 of this document, DHS is using the Secretary's broad authority
and discretion for designating and establishing qualified positions,
and the exemptions from existing laws, to create a new type of Federal
civil service position based on individuals and their skills necessary
for executing the DHS cybersecurity mission. To do this, DHS is
designing CTMS with new processes, systems, and programs to create and
use qualified positions based on the DHS cybersecurity mission and
individuals' skills necessary to execute that mission. Those processes,
systems, and programs are called CTMS elements and include a new work
valuation system.
2. Appointment
Under 6 U.S.C. 658, DHS has authority to create new hiring
processes for qualified positions without regard to existing
requirements and processes for hiring Federal civilian employees.
Section 658(b)(1)(A)(ii) gives the Secretary authority to appoint an
individual to a qualified position and, under 6 U.S.C. 658(b)(1)(B),
this
[[Page 47846]]
appointment authority applies without regard to the provisions of any
other law relating to appointment, number, or classification of
employees.\30\
---------------------------------------------------------------------------
\30\ The authority to appoint an individual to a qualified
position also applies without regard to any other provisions of law
relating to compensation of employees. 6 U.S.C. 658(b)(1)(B).
---------------------------------------------------------------------------
The exemption relating to appointment of employees means DHS may
appoint individuals to qualified positions without regard to the Title
5 hiring requirements and processes, including procedures for accepting
and reviewing applications, making selections, and appointing
individuals to positions.\31\ Also, the exemption regarding number of
employees means there is no statutory limit on the number of qualified
positions or number of appointments to such positions. As discussed
previously, provisions of the U.S. Code relating to the number of
employees may limit the number of positions, or types of positions, or
limit the number of employees that may be hired into such
positions.\32\ Although DHS is not limited in the number of
appointments to qualified positions, funding constraints and
requirements in DHS appropriations still apply.
---------------------------------------------------------------------------
\31\ See e.g., 5 U.S.C. Chapter 33, Subchapter I.
\32\ See e.g., 5 U.S.C. 3131(c) (``The Office of Personnel
Management, in consultation with the Office of Management and
Budget, shall review the request of each agency and shall authorize
. . . a specific number of Senior Executive Service positions for
each agency''); see also the Federal Employees Pay Act of 1945, Sec.
607 (controlling the number of employees and establishing personnel
ceilings within executive branch agencies), repealed Public Law 81-
784 (Sept. 1950).
---------------------------------------------------------------------------
The exemption relating to classification of employees, discussed
previously, means DHS may also appoint individuals to qualified
positions exempt from the GS position classification system and other
work valuation systems relying on traditional position classification
concepts and methods. In the context of appointments, Chapter 51 and
implementing regulations and policy dictate elements of the hiring
process for GS positions. For example, OPM classification and
qualification standards, policies, and processes \33\ establish
procedures used for defining, identifying, and evaluating jobs and
applicants in order to select individuals for appointment to a GS
position.
---------------------------------------------------------------------------
\33\ See U.S. Office of Personnel Management website,
``Classification & Qualifications,'' <a href="https://www.opm.gov/policy-data-oversight/classification-qualifications/">https://www.opm.gov/policy-data-oversight/classification-qualifications/</a> (last visited May 25,
2021).
---------------------------------------------------------------------------
As discussed subsequently in III.B of this document, main factors
contributing to DHS's challenges recruiting and retaining cybersecurity
talent are the lack of focus of existing Federal talent management
practices on individuals and their skills, as well as fierce
competition for those individuals and their skills. Therefore, as
discussed further in IV.C of this document, DHS is using the
Secretary's appointment authority, and the exemptions from existing
laws, to create new hiring processes for qualified positions to recruit
and hire individuals with mission-critical skills. To do this, DHS
designed strategic recruitment processes based on leading private
sector practices and a new skills-based assessment program under a new
DHS-specific talent acquisition system.
3. Compensation
Under 6 U.S.C. 658(b), DHS has authority to create a new
administrative compensation system covering salaries and other types of
compensation. Section 658(b)(1)(A)(iii) gives authority to set
compensation for individuals in qualified positions. This Sec. 658
compensation authority includes specific salary authority in Sec.
658(b)(2)(A) to fix the rates of basic pay for qualified positions
subject to limitations on maximum rates of pay. The Sec. 658
compensation authority also includes specific additional compensation
authority in Sec. 658(b)(3)(A) to provide compensation in addition to
basic pay, including benefits, incentives, and allowances.
The Sec. 658 compensation authority applies without regard to any
other provisions of law relating to the classification or compensation
of employees.\34\ As explained previously, the exemption relating to
classification of employees exempts the authority in 6 U.S.C. 658 from
the GS position classification system and other Federal work valuation
systems. In the context of compensation, the GS position classification
system describes and groups Federal civil service positions to assign
rates of basic pay under the related GS pay system in 5 U.S.C. Chapter
53. Thus, the Sec. 658 compensation authority is exempt from the GS
pay system as well as the GS position classification system under both
the exemption relating to classification of employees and the exemption
relating to compensation of employees.
---------------------------------------------------------------------------
\34\ 6 U.S.C. 658(b)(1)(B). The Sec. 658 compensation authority
also applies without regard to any other provisions of law relating
to appointment or number of employees. Id.
---------------------------------------------------------------------------
In addition to laws establishing the GS pay system, the exemption
relating to compensation of employees exempts the Sec. 658
compensation authority from other provisions of law relating to
compensation, which include: Provisions in 5 U.S.C. Chapter 53
establishing and governing other pay systems; premium pay provisions in
5 U.S.C. Chapter 55 and the minimum wage and overtime pay provisions of
the Fair Labor Standards Act (FLSA); provisions in Title 5 regarding
monetary awards, incentives, and certain differentials; the limitation
on annual aggregate compensation in 5 U.S.C. 5307; and provisions in 5
U.S.C. Chapter 61 governing work schedules, which impacts compensation,
especially salary and leave.
The Sec. 658 compensation authority does provide parameters for
exercising that authority specific to providing basic pay and providing
additional compensation, and those parameters depend on identifying
positions that are ``comparable'' to qualified positions designated by
the Secretary. For Sec. 658 basic pay, the Secretary must identify
comparable positions in DOD and their associated rates of pay, and then
fix rates of basic pay for individuals in qualified positions ``in
relation to'' those DOD rates of pay.\35\ For Sec. 658 additional
compensation, if the Secretary provides additional compensation, the
Secretary must identify comparable positions authorized by Title 5, and
then provide only additional compensation that is ``consistent with,
and not in excess of the level authorized for,'' those Title 5
positions.\36\
---------------------------------------------------------------------------
\35\ 6 U.S.C. 658(b)(2)(A).
\36\ 6 U.S.C. 658(b)(3)(A).
---------------------------------------------------------------------------
The language of, and direction in, the Sec. 658 basic pay
authority and the Sec. 658 additional compensation authority is
ambiguous, including the implicit initial requirement to identify
``comparable positions.'' Statutory language for Federal compensation
systems generally is not straight-forward nor unambiguous, and the
responsibility of resolving ambiguities in the Federal compensation
system context has been characterized as inherently complex.\37\
[[Page 47847]]
The compensation authority language in 6 U.S.C. 658 is no exception. To
implement the Sec. 658 compensation authority, DHS has had to
interpret the ambiguous statutory language of the basic pay authority
and the additional compensation authority, as discussed in the
following three sections of this document: III.A.3.(a) Comparable
Positions, III.A.3.(b) Basic Pay, and III.A.3.(c) Additional
Compensation.
---------------------------------------------------------------------------
\37\ In 2012, the Comptroller General noted ``the extraordinary
complexity of the [F]ederal pay systems and the difficulties we have
encountered in attempting to resolve ambiguities arising from pay
laws enacted at different times over nearly 70 years ago.''
Comptroller General Opinion, Pay for Consultants and Scientists
Appointed under Title 42, B-323357 (July 12, 2012) (determining that
the pay cap in 5 U.S.C. 5373 is inapplicable to pay for consultants
and scientists appointed under 42 U.S.C. 209(f) or (g), but that
such pay is limited by an appropriations cap), 1. The Comptroller
General referenced a D.C. Circuit case that also noted the inherent
complexity in resolving ambiguities in the Federal compensation
context. Id. That D.C. Circuit case explained that in 1983 there
were six discrete Federal civilian pay systems and ``depending on
the degree of disaggregation, over forty other, separate pay
systems. These pay systems vary considerably in the number of
employees covered and method for determining pay.'' International
Organization of Masters, Mates & Pilots v. Brown, 698 F.2d 536, 539
(D.C. Cir. 1983), 698 F.2d 536, 538-39 (holding that the pay cap in
5 U.S.C. 5373 applies to government mariners whose pay is set in
accordance with prevailing rates and practices in the maritime
industry). The Comptroller General also commented: ``The statutory
scheme has only become more complex since 1983.'' Comptroller
General Opinion, B-323357 at 1.
---------------------------------------------------------------------------
(a) Comparable Positions
Section 658 does not define or identify comparable positions in
DOD, comparable positions authorized by Title 5, nor what makes such
positions ``comparable'' to qualified positions. As mentioned
previously, and discussed in IV.A of this document, DHS is using the
Secretary's broad authority and discretion for designating and
establishing qualified positions to create qualified positions as a new
type of Federal civil service position based on the DHS cybersecurity
mission and individuals' skills necessary to execute that mission. As
such, there are no existing positions in DOD nor existing positions
authorized by Title 5 that are obvious ``comparable positions'' to this
new type of position for the purposes of implementing the Sec. 658
basic pay authority and the Sec. 658 additional compensation
authority. Consequently, DHS must determine which positions in DOD, and
which positions authorized by Title 5, are comparable to this new type
of Federal civil service position.
DHS interprets ``comparable positions'' to mean positions that have
characteristics in common with a qualified position. A dictionary
definition of the term ``comparable'' can mean ``similar'' or ``capable
of being compared;'' however, only the ``similar'' definition provides
guidance.\38\ Most--if not all--Federal civil service positions are
``comparable'' in the sense that they are capable of being be compared
to one another based on some criteria or using a consistent metric. The
ability or a process to compare positions does not result in
identifying positions in DOD and positions authorized by Title 5 that
are ``comparable'' for the purpose of implementing the Sec. 658 basic
pay authority and the Sec. 658 additional compensation authority.\39\
A dictionary definition of the term ``similar'' is ``alike in substance
or essentials'' or ``having characteristics in common.'' \40\ Thus,
positions that are ``comparable'' are ones that are alike in substance
or essentials or have characteristics in common.
---------------------------------------------------------------------------
\38\ United States v. Cinemark USA Inc., 348 F.3d 569 (6th Cir.
2003) (determining that ``comparable'' has two possible meanings
under a dictionary definition: (1) ``similar,'' and (2) ``capable of
being compared and concluding that the term ``comparable'' had to
mean ``similar'' in order to give substantive meaning to that term).
\39\ Id. at 573 (explaining: ``While the word `comparable' can
mean `capable of being compared,' such an interpretation would give
the word no substantive content in this context. The other--
obviously intended--meaning of `comparable' is `similar.' Thus, in
ordinary parlance, if the prices at one store or restaurant are ten
times those of a competitor, one would not say that the prices are
`comparable,' even though they can obviously be compared'').
\40\ Merriam-Webster, <a href="https://www.merriam-webster.com/dictionary/similar">https://www.merriam-webster.com/dictionary/similar</a> (last visited May 25, 2021).
---------------------------------------------------------------------------
The main characteristics of a qualified position can be described
as a link to the DHS cybersecurity mission and an emphasis on an
individual's skills necessary to execute that mission. Thus,
``comparable positions'' in DOD and authorized by Title 5, are those
that also have (1) a link to cybersecurity responsibilities of an
agency, and (2) an emphasis on an individual's skills necessary to
perform cybersecurity work. Some positions in DOD and some positions
authorized by Title 5 have these characteristics in common with
qualified positions, and thus are ``comparable'' to qualified
positions. Note that positions classified using traditional Federal
position classification methods, including the GS position
classification system, do not emphasize an individual's skills. As
explained in III.B.2 of this document, traditional Federal position
classification primarily focuses on the work of a position and only
minimally accounts for the skills an individual brings to the work of a
position and how such skills may influence the performance of work.
Positions in DOD that have or could have a link to cybersecurity
responsibilities and an emphasis on an individual's skills, and thus
are comparable positions in DOD for purposes of implementing the Sec.
658 basic pay authority, include the following eleven types of
positions:
<bullet> Senior Level/Scientific or Professional (SL/ST) positions
under 5 U.S.C. 5376;
<bullet> Senior Executive Service (SES) positions under 5 U.S.C.
Chapter 31, Subchapter II;
<bullet> Experts and consultants positions under 5 U.S.C. 3109;
<bullet> Critical pay positions under 5 U.S.C. 5377;
<bullet> DOD CES positions under 10 U.S.C. 1599f;
<bullet> DOD DCIPS positions under 10 U.S.C. 1601 et seq.;
<bullet> DOD highly qualified experts (DOD HQE) positions under 5
U.S.C. 9903;
<bullet> Intelligence Community highly qualified experts (IC HQE)
under 50 U.S.C. 3024(f)(3)(A)(iii);
<bullet> Intelligence Community (IC) critical pay positions under
50 U.S.C. 3024(s);
<bullet> Scientific and Technology Reinvention Laboratories (STRL)
positions under 10 U.S.C. 2358c; and
<bullet> Pilot cybersecurity professional positions under section
1110 of the National Defense Authorization Act for Fiscal Year
2018.\41\
---------------------------------------------------------------------------
\41\ Public Law 115-91 (Dec. 2017).
---------------------------------------------------------------------------
Positions ``authorized by [T]itle 5,'' while not clearly defined,
at least include positions specifically authorized in Title 5
provisions. Five of the eleven types of comparable positions in DOD are
also authorized in Title 5 provisions. Thus, positions authorized by
Title 5 that have or could have a link to cybersecurity
responsibilities and an emphasis on an individual's skills, and are
therefore comparable positions authorized by Title 5 for purposes of
implementing the Sec. 658 additional compensation authority, include
at least the following types of positions:
<bullet> SL/ST positions under 5 U.S.C. 5376;
<bullet> SES positions under 5 U.S.C. Chapter 31, Subchapter II;
<bullet> Experts and consultants positions under 5 U.S.C. 3109;
<bullet> Critical pay positions under 5 U.S.C. 5377; and
<bullet> DOD HQE positions under 5 U.S.C. 9903.
[[Page 47848]]
It is important to note that the eleven types of comparable
positions are each comparable to a qualified position. As such, a
qualified position is simultaneously comparable to each of these eleven
types of comparable positions. This one-to-many relationship between a
qualified position and the eleven types of comparable positions affects
how DHS interprets and implements the Sec. 658 basic pay authority and
the Sec. 658 additional compensation authority, as discussed in the
following two sections, III.A.3.(b) Basic Pay and III.A.3.(c)
Additional Compensation.
(b) Basic Pay
Section 658(b)(2)(A) provides the Secretary basic pay authority and
parameters for exercising that authority by requiring the Secretary fix
rates of basic pay for qualified positions ``in relation to the rates
of pay provided for employees in comparable positions in the Department
of Defense and subject to the same limitation on maximum rates of pay
established for such employees by law or regulation.'' This authority
to fix rates of basic pay is authority to create and administer a new
salary system with a salary range and policies for setting and
adjusting salaries.\42\ Under 6 U.S.C. 658(b)(1)(B), the new salary
system is exempt from any other laws relating to classification or
compensation of employees, including the GS position classification
system and the associated GS pay system.\43\ The new salary system,
however, must adhere to the two parameters in the Sec. 658 basic pay
authority regarding rates of pay and maximum rates.
---------------------------------------------------------------------------
\42\ Section 658(b)(2)(B) also provides the Secretary
discretionary authority for establishing a prevailing rate system,
which is not addressed by this rulemaking.
\43\ The new salary system is also exempt from any other laws
relating to the appointment or number of employees. 6 U.S.C.
658(b)(1)(B).
---------------------------------------------------------------------------
(i) Rates of Pay and Pay Ranges
To ensure salaries under the new salary system are set in relation
to the rates of pay provided for employees in comparable positions in
DOD,\44\ the Department must interpret the ambiguous ``in relation to''
requirement, and apply it using the rates of pay for the eleven types
of comparable positions in DOD.
---------------------------------------------------------------------------
\44\ 6 U.S.C. 658(b)(2)(A).
---------------------------------------------------------------------------
Rates of pay are organized as pay ranges with a minimum rate and
maximum rate. The rates of pay provided for the eleven types of
comparable positions in DOD are nine different pay ranges established
in statute and DOD implementing documents. Because a qualified position
is simultaneously comparable to each type of comparable position in
DOD, all nine pay ranges are relevant in applying the ``in relation
to'' requirement. The nine pay ranges for the eleven types of
comparable positions in DOD are as follows:
Table 1--Pay Ranges for Comparable Positions in DOD
------------------------------------------------------------------------
Pay range
--------------------------------------------------- Comparable position
Minimum rate Maximum rate in DOD
------------------------------------------------------------------------
No minimum T1............... GS-15 step 10 T2.... Experts and
consultants
positions.
GG-7 or pay band 2 T3....... EX-IV T4............ DOD CES and DOD
DCIPS positions.
n/a......................... EX-IV T5............ DOD HQE positions.
120 percent of GS-15 minimum EX-II (with an OPM- SL/ST and SES
basic pay T6. certified positions.
performance
appraisal system,
otherwise EX-III)
T7.
Not less than the rate EX-I T9............. Critical pay
otherwise payable if not positions.
determined critical T8.
n/a......................... EX-I with Director IC critical pay
of National positions.
Intelligence
approval otherwise
EX-II T10.
n/a......................... Vice President's IC HQE positions.
salary T11.
n/a......................... 150 percent of EX-I STRL positions.
T12.
n/a......................... No maximum T13...... Pilot cybersecurity
professional
positions.
------------------------------------------------------------------------
T1 5 U.S.C. 3109(b).
T2 Id. This authority for expert and consultants positions also includes
an authority to supersede this maximum rate when specifically
authorized by appropriation or other statute.
T3 DODI 1400.25-V3007, DOD Civilian Personnel Management System: Cyber
Excepted Service (CES) Occupational Structure (Aug. 15, 2017), 6
(Entry/Developmental Work Level 1 for Professional Work Category in
CES Occupational Structure); DODI 1400.25-V2007, DOD Civilian
Personnel Management System: Defense Civilian Intelligence Personnel
System (DCIPS) Compensation Administration (Apr. 17, 2012), 27 (Entry/
Developmental Work Level 1 for Professional Work Category in DCIPS
Occupational Structure).
T4 DODI 1400.25-V3006, DOD Civilian Personnel Management System: Cyber
Excepted Service (CES) Compensation Administration (Aug. 15, 2017), 4
(``basic rates of pay will comply with the maximum pay limitation of
Level IV of the Executive Schedule for basic pay''); DODI 1400.25-
V2006, DOD Civilian Personnel Management System: Defense Civilian
Intelligence Personnel System (DCIPS) Compensation Administration
(Mar. 3, 2012, incorporating changes effective July 6, 2020), 9
(``adjusted basic pay may not exceed the rate of Level IV of the
Executive Schedule'').
T5 5 U.S.C. 9903(b).
T6 5 U.S.C. 5376(b) and 5382.
T7 Id.
T8 5 U.S.C. 5377(d).
T9 Id. This authority for critical pay positions also includes an
authority to supersede this maximum rate with written approval from
the President.
T10 50 U.S.C. 3024(s). This authority for IC critical pay positions also
includes an authority to supersede this maximum rate with presidential
approval.
T11 ICD 623, Intelligence Community Directive Number 623, Appointment of
Highly Qualified Experts (Oct. 16, 2008), 4 (``The DNI may set the
rate of basic pay for HQEs up to or equal to the salary of the Vice
President of the United States (as established by 3 U.S.C. 104)'').
T12 10 U.S.C. 2358c(d) s.
T13 National Defense Authorization Act for Fiscal Year 2018, Public Law
115-91, Sec. 1110(f), (Dec. 2017).
[[Page 47849]]
DHS interprets the ``in relation to'' requirement to mean that the
Secretary has discretion to establish and operate a new salary system
within the boundaries provided by the nine rate ranges for the eleven
types of comparable positions in DOD. Congress has used a similar ``in
relation to'' requirement in other compensation authorities, and courts
have held that such a requirement provides boundaries for determining
appropriate salaries under a compensation authority.\45\ The courts
also concluded that such a requirement gives the agency head discretion
to fill in the details within those boundaries.\46\ Legislative history
indicates that 6 U.S.C. 658 grants compensation flexibilities to better
recruit and retain cybersecurity talent with more competitive
compensation.\47\
---------------------------------------------------------------------------
\45\ Crawford v. U. S., 179 Ct. Cl. 128 (1967) cert. denied 389
U.S. 1041 (1968) (construing ``in relation to'' in Section 2353(c)
of the Overseas Teacher Pay and Personnel Practices Act of 1959
(Pub. L. 86-91), which directed: ``The Secretary of each military
department shall fix the rates of basic compensation of teachers and
teaching positions in his military department in relation to the
rates of basic compensation for similar positions in the United
States . . .''); Homezell Chambers v. U.S, 306 F.Supp. 317 (E.D. Va
1969) (also construing the Section 2353(c) of the Overseas Teach Pay
and Personnel Practices Act of 1959); see also Reinheimer v. Panama
Canal Co., 413 F.2d 153 (5th 1969) (construing ``in relation to'' in
section 144(b) of title 2 of the Canal Zone Code (Pub. L. 73-431),
which directed salaries for employees of the Panama Canal Zone ``may
be established and revised in relation to rates of compensation for
the same or similar work performed in the continental United
States,'' as not meaning ``equal to'' but instead as indicating some
amount of discretion); Binns v. Panama Canal Co., 459 F.Supp. 956,
958 (D.C.Z. 1978) (discussing Reinheimer as holding that the ``in
relation to'' direction in section 144(b) of title 2 of the Canal
Zone Code ``allows the relational establishment of wages, and
therefore also allows deviations from wage rates which would be
identical to those of the same or similar positions in the
continental United States'').
\46\ Crawford v. U. S., 179 Ct. Cl. 128, 139 (1968) (stating
that the authority to fix the rates of basic compensation in
relation to the rates of basic compensation for similar positions
``merely set the boundaries of the program allowing the Secretary of
Defense to fill in the details. Nowhere did Congress fix salaries in
Public Law 86-91 [Overseas Teachers Pay and Personnel Act], nor did
it define the positions which were to be looked to in the United
States as similar to those occupied by the overseas teachers . . . .
That the Secretary was vested with discretion to issue regulations
governing the fixing of rates of basic compensation follows
unmistakably from the grant of authority contained in Section
2352(a)(2) of the Act [which provided the authority to fix rates of
basic compensation in relation to other rates of compensation and
required implementing regulations]''); Homezell Chambers v. U.S, 306
F.Supp. 317 (E.D. Va 1969) (affirming the Secretary of Defense's
discretion for determining overseas teacher pay).
\47\ See supra note 15.
---------------------------------------------------------------------------
DHS determines that the boundaries of the new salary system, as
provided by the nine rate ranges for the eleven types of comparable
positions in DOD, may be from no minimum to 150 percent of EX-I or no
maximum. The nine rate ranges, presented in Table 1: Rate Ranges for
Comparable Positions in DOD, have several minimum rates, which start at
no minimum, and several maximum rates, which range up to 150 percent of
EX-I and no maximum. As discussed subsequently in III.B of this
document, the competitiveness of compensation, especially salary, is a
main factor contributing to DHS's challenges recruiting and retaining
cybersecurity talent. Therefore, as discussed further in IV.E.3 of this
document, the Department is using the highest maximum rates for the
upper boundary for the new salary system.
(ii) Limitations on Maximum Rates and Pay Caps
To ensure salaries under the new salary system are subject to the
same limitations on maximum rates for employees in comparable positions
in DOD established by law or regulation,\48\ DHS must identify the
``limitations on maximum rates'' for the eleven types of comparable
positions in DOD, and then apply those same limitations to the new pay
system.
---------------------------------------------------------------------------
\48\ 6 U.S.C. 658(b)(2)(A).
---------------------------------------------------------------------------
Just as 6 U.S.C. 658 does not identify comparable positions in DOD,
it does not prescribe or identify the ``limitations on maximum rates of
pay'' for those comparable positions. Thus, to implement the ``the same
limitations on maximum rates'' requirement in 6 U.S.C. 658, DHS must
interpret the phrase ``limitations on maximum rates'' and apply it
using the eleven types of comparable positions in DOD.
DHS interprets ``limitations on maximum rates'' to mean salary
caps. Congress generally uses the term ``limitation'' within
compensation statutes to mean a pay or salary cap. U.S. Code sections
using the term ``limitation'' in a compensation context indicate that
the term means an amount cap.\49\ When used in conjunction with the
authority to fix or adjust rates of pay, the term ``limitation'' means
a salary cap.\50\ These U.S. Code sections also indicate that the term
``limitation'' often specifically refers to the salary cap for
administrative pay systems in 5 U.S.C. 5373 or 5306(e).\51\ The Sec.
658 basic pay authority is authority to create a new administrative
compensation system; however, under the exemption relating to the
compensation of employees in Sec. 658(b)(1)(B), the new salary system
is exempt from the salary cap in 5 U.S.C. 5373 and 5306(e). The new
system must instead comply with the ``same limitations on maximum
rates'' requirement in Sec. 658(b)(2)(A).
---------------------------------------------------------------------------
\49\ See e.g., 5 U.S.C. 5307 (entitled ``Limitation on certain
payments'' and providing a general amount cap on total compensation,
which is known as the annual aggregate compensation cap); 5 U.S.C.
5547 (entitled ``Limitation on premium pay'' and providing an amount
cap on the aggregate of basic pay and premium pay under Title 5);
see also 5 U.S.C. 5759(c) and 10 U.S.C. 1091(b).
\50\ See e.g., 5 U.S.C. 5376 and 5382 (stating that basic pay
for SL/ST positions and SES positions is not subject to ``the pay
limitation in section 5306(e) or 5373''); see also 10 U.S.C.
9414(d); 24 U.S.C. 415(e); and 10 U.S.C. 1587a(e).
\51\ Id.
---------------------------------------------------------------------------
DHS interprets the ``same limitations on maximum rates''
requirement to mean that the new salary system is subject to the same
salary caps applicable to the eleven types of comparable positions in
DOD. A maximum rate for a rate range serves as a salary cap. As shown
previously in Table 1, the pay ranges for the eleven types of
comparable positions in DOD each have at least one maximum rate, except
the pay range for pilot cybersecurity professional positions does not
include a maximum rate. For the comparable positions in DOD that have
more than one maximum rate, only the highest rate serves as a true
salary cap because the lower maximum rate can be superseded under
certain circumstances, whereas the higher rate serves as the absolute
limit for salaries in that rate range. As such, comparable positions in
DOD have six different salary caps based on their highest maximum rate.
Because a qualified position is simultaneously comparable to each type
of comparable position in DOD, all six salary caps are relevant in
applying the ``same limitations on maximum rates'' requirement. The six
relevant salary caps for the eleven types of comparable positions in
DOD are as follows:
Table 2--Salary Caps for Comparable Positions in DOD
------------------------------------------------------------------------
Maximum rate Comparable position in DOD
------------------------------------------------------------------------
GS-15 step 10..................... Experts and consultants positions.T1
EX-IV............................. DOD CES and DOD DCIPS positions; T2
and DOD HQE positions.T3
[[Page 47850]]
EX-II............................. SL/ST and SES positions (with an OPM-
certified performance appraisal
system).T4
EX-I.............................. Critical pay positions; T5 and IC
critical pay positions (with
Director of National Intelligence
approval) T6
Vice President's salary........... IC HQE positionsT7
150 percent of EX-I............... STRL positionsT8
------------------------------------------------------------------------
T1 5 U.S.C. 3109(b).
T2 DODI 1400.25-V3006, DOD Civilian Personnel Management System: Cyber
Excepted Service (CES) Compensation Administration (Aug. 15, 2017), 4,
and DODI 1400.25-V2006, DOD Civilian Personnel Management System:
Defense Civilian Intelligence Personnel System (DCIPS) Compensation
Administration (Mar. 3, 2012, incorporating changes effective July 6,
2020), 9.
T3 5 U.S.C. 9903(b).
T4 5 U.S.C. 5376(b) and 5382.
T5 5 U.S.C. 5377(d).
T6 50 U.S.C. 3024(s).
T7 ICD 623, Intelligence Community Directive Number 623, Appointment of
Highly Qualified Experts (Oct. 16, 2008), 4.
T8 10 U.S.C. 2358c(d).
Because the new salary system must set salaries subject to the
``same'' limitations on maximum rates for employees in comparable
positions in DOD, each of the six salary caps applies to the new salary
system. Congress uses the plural term ``limitations'' in the Sec. 658
basic pay authority, which indicates Congress contemplated, or at least
accounted for, the possibility of more than one salary cap; however,
Congress is silent on how multiple salary caps might apply to the new
salary system.
With the Secretary's broad authority and discretion for designating
and establishing qualified positions, determining comparable positions
in DOD, establishing a salary system within expansive boundaries, and
identifying salary caps to apply to the new salary system, it follows
that the Secretary also has implicit authority and discretion for how
to apply the six applicable salary caps. In exercising this authority
and discretion, the Secretary must ensure the new salary system is
subject to the ``same'' salary caps as comparable positions in DOD, and
as such, DHS is applying all six salary caps to the new salary system,
as discussed further under IV.E.3 of this document.
(c) Additional Compensation
Section 658(b)(3)(A) provides the Secretary discretionary
additional compensation authority and parameters for exercising that
authority by requiring that any discretionary additional compensation
for employees in qualified positions, must be ``consistent with, and
not in excess of the level authorized for, comparable positions
authorized by [T]itle 5, United States Code.'' Section 658(b)(3)(B)
also separately mandates one type of additional compensation,
allowances in nonforeign areas, and also mandates that employees in
qualified positions are eligible for such allowances under 5 U.S.C.
5941 on the same basis and to the same extent as if the employees were
covered under section 5941.
The Sec. 658 additional compensation authority for both
discretionary additional compensation and the separate, mandatory
allowances in nonforeign areas is exempt under 6 U.S.C. 658(b)(1)(B)
from any other laws relating to compensation.\52\ Any discretionary
additional compensation DHS provides, however, must adhere to the two
parameters that such additional compensation is ``consistent with''
comparable positions authorized by Title 5 and not in excess of ``the
level authorized for'' such positions.
---------------------------------------------------------------------------
\52\ The Sec. 658 additional compensation authority is also
exempt from any other laws relating to the appointment, number, or
classification of employees. 6 U.S.C. 658(b)(1)(B).
---------------------------------------------------------------------------
(i) Consistent With
To provide discretionary additional compensation that is consistent
with comparable positions authorized by Title 5, DHS must interpret
this ambiguous ``consistent with'' requirement, and apply it using the
five types of comparable positions authorized by Title 5. As discussed
previously in III.C.3 of this document, comparable positions authorized
by Title 5 include SL/ST, SES, Experts and Consultants, Critical Pay,
and DOD HQE positions.
Based on Congress's choice of punctuation and syntax, it is clear
that discretionary additional compensation must be consistent with
comparable positions authorized by Title 5. Section 658(b)(3)(A)
directs that any discretionary additional compensation be ``consistent
with, and not in excess of the level authorized for, comparable
positions authorized by [T]itle 5.'' In section 658(b)(3)(A), the
phrase ``and not in excess of the level authorized for'' is set aside
by commas and is a non-essential clause that is not necessary for
reading the rest of the sentence.\53\ The sentence read without the
clause states that such additional compensation must be ``consistent
with . . . comparable positions authorized by [T]itle 5.'' Congress
reads the Sec. 658 additional compensation authority in just this
manner in the legislative history when it treats the syntax and
punctuation of the ``consistent with'' requirement as purposeful \54\
and omits the non-essential clause in describing the authority.\55\ A
report accompanying a previous bill, the language of which now is
codified at 6 U.S.C. 658, does not correct the syntax or punctuation of
the language, nor does it directly quote the
[[Page 47851]]
language, but uses slightly different language to describe the
requirement that discretionary additional compensation must be
consistent with comparable positions authorized by Title 5.\56\
---------------------------------------------------------------------------
\53\ Non-essential clauses, a type of non-restrictive element,
do not limit the meaning of the words they modify. See William
Strunk, The Elements of Style (1st Ed. 2004), 9 (non-restrictive
elements ``do not limit the application of the words on which they
depend, but add, parenthetically, statements supplementing those in
the principal [elements]'').
\54\ Congress has used the same punctuation and syntax of the
``consistent with'' requirement since its creation in the bill
enacted as the DOD DCIPS authority; however, the legislative history
for the DOD DCIPS authority does not address the ``consistent with''
requirement. The draft bill stated:
(c) Additional Compensation, Incentives, and Allowances--(1)
Employees in defense intelligence component positions may be paid
additional compensation, including benefits, incentives, and
allowances, in accordance with this subpart if, and to the extent,
authorized in regulations prescribed by the Secretary of Defense.
(2) Additional compensation under this subsection shall be
consistent with, and not in excess of the levels authorized for,
comparable positions authorized by [T]itle 5.
S. 1745 (104th Congress 2d Session, July 10, 1996), Sec. 1132
(proposed for 10 U.S.C. 1590(c)) (emphasis added); H.R. 3230 (104th
Congress 2d Session, July 10, 1996), Sec. 1132 (proposed for 10
U.S.C. 1590(c) (also providing for allowances while stationed
outside the continental U.S. or in Alaska tied to the allowance
under 5 U.S.C. 5941) (emphasis added).
\55\ S. Rep. 113-207, Report of the Committee on Homeland
Security and Governmental Affairs, U.S. Senate, to accompany S.
2354, ``To Improve Cybersecurity Recruitment and Retention,'' (July
14, 2014), 4 (explaining the authority gives DHS authority to
``grant additional compensation, incentives, and allowances
consistent with comparable positions authorized by Title 5, United
States Code'').
\56\ Id. Note that the additional compensation language of then-
bill S. 2354 is identical to the language codified in 6 U.S.C.
658(b)(3).
---------------------------------------------------------------------------
Neither 6 U.S.C. 658 nor the legislative history explain or
identify how compensation can be consistent with a position. A
dictionary definition of the phrase ``consistent with'' signals that
the phrase does not require sameness.\57\ A case addressing the phrase
``consistent with'' in a corporate merger agreement confirms that
``consistent with'' does not require sameness, and also indicates that
this phrase has meaning only when comparing similar things.\58\
Additional compensation and positions are not the same, or even similar
things, and are not usually compared.
---------------------------------------------------------------------------
\57\ A dictionary definition of ``consistent with'' means
``marked by harmony, regularity, or steady continuity: free from
variation or contradiction'' and ``marked by agreement: Compatible-
usually used with with.'' Merriam-Webster, <a href="http://www.merriam-webster.com/dictionary/consistent">www.merriam-webster.com/dictionary/consistent</a> (last visited May 25, 2021). Variation'' means
``the act or process of varying: the state or fact or being varied''
and ``vary'' means ``to make a partial change in: make different in
some attribute or characteristic.'' Merriam-Webster, <a href="https://www.merriam-webster.com/dictionary/variation">https://www.merriam-webster.com/dictionary/variation</a> (last visited May 25,
2021); <a href="https://www.merriam-webster.com/dictionary/vary">https://www.merriam-webster.com/dictionary/vary</a> (last visited
May 25, 2021). ``Contradiction'' means ``the act or instance of
contradicting'' and ``contradict'' means ``to assert the contrary
of; take issue with'' and ``to imply the opposite or denial of.''
Merriam-Webster, <a href="https://www.merriam-webster.com/dictionary/contradiction">https://www.merriam-webster.com/dictionary/contradiction</a> (last visited May 25, 2021); <a href="https://www.merriam-webster.com/dictionary/contradict">https://www.merriam-webster.com/dictionary/contradict</a> (last visited May 25, 2021). This
dictionary definition has limited use because being free from
variation, which would not permit partial changes, is different from
being free from contradiction, which would not permit anything that
is the opposite.
\58\ Courts have not had an opportunity to consider this or any
other ``consistent with'' requirement in the Federal compensation
context. In Vry v. Martine Marietta Materials, Inc., 2003 WL 297309
(U.S. Dist Court, D. Minnesota) (2003). a district court held that a
company offered compensation and benefits ``at levels consistent
with'' prior levels as required by a corporate merger agreement,
even though new and prior compensation and benefits levels were not
the same. For example, while an employee's salary did not increase
as expected, it did not decrease; the 401k plan matching
contributions by the old company were dollar-to-dollar up to 4
percent of an employee's contributions, and the new company only
matched 50-cents-per-dollar, but up to 7 percent of an employee's
salary; pension plans were different, but the new company's plan
conferred greater benefits; and health insurance programs differed
with the old company offering a high deductible plan with negligible
premiums and the new company offering a plan with monthly premiums,
15 percent copays, and no deductible, but both plans imposed similar
burdens on the employee and reflect similar and reasonable
calculations and allocations of risk from an employee's perspective.
2003 WL 297309. Note, however, that the court was interpreting
language that required levels of compensation to be consistent with
levels of compensation, which differs from the language in 6 U.S.C.
658 requiring compensation to be consistent with positions.
---------------------------------------------------------------------------
Moreover, most additional compensation provided under Title 5
depends not on an individual's position, but on whether the individual
is an ``employee,'' as defined in Title 5. Under Title 5, most types of
additional compensation are available to an employee, regardless of the
employee's type of position.\59\
---------------------------------------------------------------------------
\59\ See e.g., 5 U.S.C. 4502 (making available incentive awards
of cash awards, honorary recognition, and time-off awards to an
``employee'' who satisfies other award-specific criteria that do not
include position type) and 5 U.S.C. 8333 and 8410 (stating that
retirement annuity is available to ``an employee'' who satisfies
certain eligibility requirements that do not include position type).
---------------------------------------------------------------------------
Although the language of the ``consistent with'' requirement is
ambiguous and confusing, the entire context of 6 U.S.C. 658 indicates
that the ``consistent with'' requirement can be satisfied by basing
additional compensation on authorities in Title 5.\60\ The heading of
the subparagraph providing the discretionary additional compensation
authority, and the ``consistent with'' requirement, is ``Additional
Compensation Based on Title 5 Authorities.'' \61\ Therefore, Congress
characterizes additional compensation that must be consistent with
comparable positions authorized by Title 5 as being based on Title 5
authorities. This characterization is in contrast to the subparagraph
heading mandating allowances in nonforeign areas, which is ``Allowances
in Nonforeign Areas'' and does not further characterize this type of
additional compensation.\62\
---------------------------------------------------------------------------
\60\ ``Statutory construction . . . is a holistic endeavor.''
Smith v. U.S., 508 U.S. 223, 233 (1993). The entire context of a
section or statute may clarify meaning of ambiguous language or
terminology. See id. (``A provision that may seem ambiguous in
isolation is often clarified by the remainder of the statutory
scheme--because the same terminology is used elsewhere in a context
that makes its meaning clear, or because only one of the permissible
readings produces a substantive effect that is compatible with the
rest of the law'').
\61\ 6 U.S.C. 658(b)(3)(A). This paragraph heading is also
borrowed from the DOD DCIPS authority at 10 U.S.C. 1603(a). This
heading was not in the draft bill for the DOD DCIPS authority, but
Congress added it when Congress moved the additional compensation
authority to its own paragraph before enactment. Originally,
Congress included the DOD DCIPS authority for additional
compensation and nonforeign allowances in one subsection with the
title: ``Additional Compensation, Incentives, and Allowances.'' S.
1745 (104th Congress 2d Session, July 10, 1996), Sec. 1132. Congress
eventually moved these compensation authorities to a separate
section, codified at 10 U.S.C. 1603, and retained the original
subsection title as the new section heading in the enacted version.
Compare 10 U.S.C. 1603 and S. 1745 (104th Congress 2d Session, July
10, 1996), Sec. 1132. In 10 U.S.C. 1603, Congress placed the
additional compensation authority in paragraph (a) and added the
heading indicating that Congress was granting DOD the authority to
offer additional compensation that is based on Title 5 additional
compensation provisions.
\62\ 6 U.S.C. 658(b)(3)(B).
---------------------------------------------------------------------------
Thus, DHS interprets the ``consistent with'' requirement as being
satisfied by ensuring any discretionary additional compensation is
based on Title 5 authorities, and those Title 5 authorities are
provisions regarding any type of additional compensation. In 6 U.S.C.
658(b)(3)(A), Congress identifies three types of additional
compensation: Benefits, incentives, and allowances. The terms
``benefits,'' ``incentives,'' and ``allowances'' are not defined in 6
U.S.C. 658, nor in Title 5, but are used in specific chapters,
subchapters, and sections of Title 5,\63\ along with other terms
describing additional compensation under Title 5.\64\ Even if a type of
Title 5 additional compensation is not necessarily a ``benefit,''
``incentive,'' or ``allowance,'' Congress gave the Secretary the
ability to consider such compensation under the Sec. 658 additional
compensation authority by using the term ``including,'' which signals
that the list of three possible examples of discretionary additional
compensation is not exhaustive.
---------------------------------------------------------------------------
\63\ See e.g. 5 U.S.C. Chapter 45 (``Incentive Awards''),
Chapter 59 (``Allowances''), and 8903 (``Health benefit plans'').
\64\ See e.g. 5 U.S.C. 4505a (``Performance-based cash
awards''), 5379 (``Student loan repayments''), and 6303-6304
(``Annual leave'').
---------------------------------------------------------------------------
DHS understands this responsibility to base any discretionary
additional compensation on Title 5 provisions as providing DHS
discretion over which, if any, types of additional compensation to
provide, as well as how to provide them. A base or foundation \65\ is
not usually the entirety of a thing, but it is instead something on
which more is built. Moreover, in contrast to the language mandating
allowances in nonforeign areas that explicitly requires following all
terms and conditions in Title 5 for those allowances, the language of
the discretionary additional compensation authority does not require
DHS use the terms and conditions of Title 5 provisions.\66\ Congress
uses
[[Page 47852]]
entirely different language for the discretionary additional
compensation, which signals a different requirement for such additional
compensation.\67\
---------------------------------------------------------------------------
\65\ A dictionary definition of the verb ``based'' means ``to
make, form, or serve as a base for'' or ``to find a foundation or
basis for.'' Merriam-Webster, <a href="https://www.merriam-webster.com/dictionary/base">https://www.merriam-webster.com/dictionary/base</a> (last visited May 25, 2021); see also Black's Law
Dictionary (5th Ed.) (defining ``basis'' as ``fundamental principle;
groundwork; support; the foundation or groundwork of anything; that
upon which anything may rest or the principal component parts of a
thing'').
\66\ Section 658(b)(3)(B) mandates that the Secretary provide an
employee in a qualified position an allowance in nonforeign areas
under 5 U.S.C. 5941 ``on the same basis and to the same extent as if
the employee was an employee covered by such section 5941, including
eligibility conditions, allowance rates, and all other terms and
conditions in law or regulation.''
\67\ Russello v. U.S., 464 U.S. 16, 23 (1983)(``[W]here Congress
includes particular language in one section of a statute but omits
it in another section of the same Act, it is generally presumed that
Congress acts intentionally and purposely in the disparate inclusion
or exclusion''); see also Bailey v. United States, 516 U.S. 137, 146
(1995) (``We assume that Congress used two terms because it intended
each term to have a particular, nonsuperfluous meaning. While a
broad reading of ``use'' undermines virtually any function for
``carry,'' a more limited, active interpretation of ``use''
preserves a meaningful role for ``carries'' as an alternative basis
for a charge'').
---------------------------------------------------------------------------
DHS must base any discretionary additional compensation on Title 5
provisions regarding types of additional compensation, and DHS may
combine and streamline such provisions as long as it is clear which
specific Title 5 provisions serve as the base or foundation for
discretionary additional compensation. As discussed subsequently in
III.B of this document, the current inability to quickly construct and
nimbly adjust competitive total compensation packages is a main factor
in DHS's challenges recruiting and retaining cybersecurity talent.
Therefore, as discussed further in IV.E of this document, DHS is
combining and streamlining several provisions of Title 5 to establish
types of additional compensation specific to the new talent management
system, as well as providing traditional Federal employee benefits,
such as retirement, health benefits, and insurance programs.
(ii) The Level Authorized
To provide additional compensation that is not in excess of the
level authorized for comparable positions authorized by Title 5, DHS
must identify ``the level'' that applies for the five types of
comparable positions authorized by Title 5. The definite article
``the'' in 6 U.S.C. 658(b)(3)(A) limits ``level'' to being a specific
level authorized for those comparable positions.
The one, specific level under Title 5 that applies to Title 5
additional compensation for the five types of comparable positions
authorized by Title 5 is the aggregate compensation cap in 5 U.S.C.
5307. The aggregate compensation cap limits certain cash payments if,
when added to total basic pay, such a payment would cause the
employee's annual total pay to exceed level I of the Executive Schedule
(EX) or the salary of the Vice President.\68\ The cap amount that
applies--EX-I or the salary of the Vice President--depends on position
type. As discussed previously in III.A.3 of this document, comparable
positions authorized by Title 5, at the very least, include SL/ST, SES,
experts and consultants, critical pay, and DOD HQE positions. All
individuals in such positions that qualify as an ``employee'' are
subject to the aggregate compensation cap: The EX-I cap amount applies
to experts and consultants positions and critical pay positions,\69\
and the Vice President's salary amount cap applies to SL/ST, SES, and
DOD HQE positions.\70\
---------------------------------------------------------------------------
\68\ 5 U.S.C. 5307.
\69\ 5 U.S.C. 5307(a).
\70\ 5 U.S.C. 5307(d)(1); 10 U.S.C. 9903(d)(3) (stating
``[n]otwithstanding any other provision of this section or of
section 5307,'' no additional payments may be made to an employee in
an HQE position if such payment would cause the employee's total
annual compensation to exceed the Vice President's salary).
---------------------------------------------------------------------------
Because discretionary additional compensation must not be in excess
of the level authorized for comparable positions authorized by Title 5,
such additional compensation when added to the salary of an employee in
a qualified position may not cause that employee's aggregate
compensation to exceed either EX-I or the Vice President's salary. Both
annual aggregate compensation cap amounts are relevant in applying
``the level'' to discretionary additional compensation for qualified
positions because both cap amounts apply for the five types of
comparable positions authorized by Title 5, and a qualified position is
simultaneously comparable to each such type of comparable position.
With the Secretary's broad authority and discretion for designating
and establishing qualified positions, for determining comparable
positions authorized by Title 5, for deciding whether to provide
discretionary additional compensation, including what types and how to
provide them, and for identifying the aggregate compensation cap as the
level for such additional compensation, it follows that the Secretary
also has implicit authority and discretion for how to apply the two cap
amounts. In exercising this implicit authority and discretion, the
Secretary must ensure that any discretionary additional compensation
does not cause aggregate compensation for employees in qualified
positions to exceed the applicable amount for that limit, and as such,
DHS is applying both annual aggregate compensation cap amounts, as
discussed further under IV.E.7 of this document.
B. Need for a New Approach to Cybersecurity Talent Management
To implement the broad authority and discretion in 6 U.S.C. 658,
DHS set out to design a cybersecurity talent management system capable
of solving DHS's historical and ongoing challenges recruiting and
retaining cybersecurity talent. To do so, the specialized design team
formed in 2016 analyzed:
<bullet> Historical DHS cybersecurity workforce data, including
input from current DHS employees and leaders about talent requirements
and gaps;
<bullet> notable changes to talent management at Federal agencies
since the 1970s, including efforts commonly referred to as personnel
demonstration projects or alternative personnel or pay systems;
<bullet> recommendations since the 1980s from non-profits,
academia, and public service experts related to modernizing the Federal
civil service and better supporting specialized, technical fields like
cybersecurity;
<bullet> major trends and market forces affecting contemporary
workers in public service and in the field of cybersecurity; and
<bullet> leading practices in both the public and private sectors
for recruiting and retaining cybersecurity talent.\71\
---------------------------------------------------------------------------
\71\ The specialized DHS team reviewed many studies and reports
as part of its analysis. The most relevant reference materials are
listed in V. Appendix: Reference Materials of this document.
---------------------------------------------------------------------------
This analysis confirmed the main factors contributing to DHS's
challenges recruiting and retaining cybersecurity talent: (1) The ever-
evolving nature of cybersecurity work; (2) an outdated and rigid
position classification system; and (3) a generic and inflexible
compensation approach based on position classification. Constant, often
unpredictable, changes in cybersecurity work require a focus on
individuals and their skills instead of a focus on narrowly-defined and
mostly-static jobs or positions created for predictable, stable work.
Significantly, DHS organizations struggle to effectively describe
cybersecurity work using outdated and rigid position classification
methods designed to apply generically across government and myriad
fields of expertise. DHS organizations also struggle to competitively
compensate employees using generic and inflexible compensation
structures that are closely linked to those classification methods.
The following discussion in III.B.1 through III.B.3 of this
document explains these main factors and DHS's need for a new approach
to cybersecurity talent management.
[[Page 47853]]
1. Ever-Evolving Nature of Cybersecurity Work Requires a Focus on the
Individual
To adequately accommodate the ever-evolving nature of cybersecurity
work, DHS must design and operate a new talent management system with a
greater focus on individuals and individuals' skills instead of
focusing on narrowly-defined and mostly-static jobs or positions. It is
important to note that the term ``skills,'' as used in this document,
encompasses a full array of knowledge, skills, abilities, behaviors,
aptitudes, competencies, and other characteristics and qualities that
distinguish talent.
Cybersecurity work, including the work necessary to execute the
dynamic DHS cybersecurity mission, constantly changes as technologies
and threats change. Cybersecurity work is knowledge work that requires
individuals to apply their skills to solve problems and achieve
outcomes, often in unpredictable ways. As cybersecurity work changes,
both the skills necessary to perform that work and how those skills are
applied to perform that work also change. With cybersecurity work, as
with some other types of knowledge work, an individual, because of that
individual's specific skills, can have a significant influence on how
work activities and tasks are performed as well as the quantity and
quality of resulting outcomes for the organization.
Additionally, cybersecurity work is intrinsically
multidisciplinary, requiring individuals with a variety of skills
associated with multiple academic disciplines and areas of professional
specialization. Cybersecurity work is frequently performed in a team
format in which individuals combine, and recombine, a variety of skills
to generate effective, and potentially novel, solutions to problems.
The manner in which they apply their collective skills is unique to the
circumstances of each problem and cannot always be anticipated or
described in advance. This collaborative work is often performed on an
ad hoc or project basis.
Notably, there is no singular or standard cybersecurity career
path, and work arrangements for cybersecurity talent continue to
change. For some contemporary workers, a 30-year Federal career is not
desirable, and it is increasingly common for individuals to have
careers with multiple significant shifts between employers, fields of
work, and types of jobs.\72\ A cybersecurity career may include a
variety of work arrangements, including part-time work, longer-term
jobs or assignments, and project-based work for limited periods of
time. Also, collaborative cybersecurity work is often performed
entirely through digital means by geographically dispersed individuals.
---------------------------------------------------------------------------
\72\ See e.g., Bernard Marr, The Future of Work: 5 Important
Ways Jobs Will Change the 4th Industrial Revolution, Forbes, July
15, 2019, available at <a href="https://www.forbes.com/sites/bernardmarr/2019/07/15/the-future-of-work-5-important-ways-jobs-will-change-in-the-4th-industrial-revolution/#3ffd62b754c7">https://www.forbes.com/sites/bernardmarr/2019/07/15/the-future-of-work-5-important-ways-jobs-will-change-in-the-4th-industrial-revolution/#3ffd62b754c7</a> (last visited May 25,
2021); see also U.S. Office of Personnel Management, A Fresh Start
for Federal Pay: The Case for Modernization, (Apr. 2002), 7 and 42.
---------------------------------------------------------------------------
To succeed amidst such constant changes in cybersecurity work,
individuals with cybersecurity skills look for career opportunities
that allow them to continually learn in order to keep their expertise
current and to acquire new skills.\73\ In coming years, the
proliferation of machine learning, artificial intelligence,
collaborative digital technology, and other advances will continue to
transform cybersecurity work, further reinforcing the requirement for
individuals performing cybersecurity work to maintain and acquire
relevant, valuable cybersecurity skills. As cybersecurity work evolves,
some cybersecurity skills can quickly become obsolete, while some new,
difficult-to-obtain skills may emerge and become highly prized.
---------------------------------------------------------------------------
\73\ Id.
---------------------------------------------------------------------------
Currently, the demand for cybersecurity talent is high and the
supply of cybersecurity talent is low, with studies continuing to
document and project dramatic critical skills shortages in terms of
hundreds of thousands of employees.\74\ With this shifting and growing
skills gap, the competition for cybersecurity talent among Federal
agencies and the private sector also shifts and grows. With more
cybersecurity jobs nationally than qualified candidates, many
individuals with sought-after cybersecurity skills are not active job
seekers, having secured jobs performing work aligned to their
interests.\75\ When an individual with uncommon cybersecurity skills
accepts a new cybersecurity job, it is often after being pursued by
several organizations interested in the individual's cybersecurity
expertise.\76\
---------------------------------------------------------------------------
\74\ See e.g., William Crumpler & James A. Lewis, The
Cybersecurity Workforce Gap, (Jan. 2019) available at <a href="https://www.csis.org/analysis/cybersecurity-workforce-gap">https://www.csis.org/analysis/cybersecurity-workforce-gap</a> (last visited May
25, 2021); (ISC\2\), Strategies for Building and Growing Strong
Cybersecurity Teams, (ISC\2\) Cybersecurity Workforce Study, 2019,
available at <a href="https://www.isc2.org/Research/2019-Cybersecurity-Workforce-Study">https://www.isc2.org/Research/2019-Cybersecurity-Workforce-Study</a> (last visited May 25, 2021); Martin C. Libicki et
al., H4CKER5 WANTED: An Examination of the Cybersecurity Labor
Market, National Security Research Division, RAND Corporation (2014)
available at <a href="https://www.rand.org/content/dam/rand/pubs/research_reports/RR400/RR430/RAND_RR430.pdf">https://www.rand.org/content/dam/rand/pubs/research_reports/RR400/RR430/RAND_RR430.pdf</a> (last visited May 25,
2021).
\75\ Id.
\76\ See e.g., (ISC)\2\, Hiring and Retaining Top Cybersecurity
Talent: What Employers Need to Know About Cybersecurity Jobseekers
(2018), available at <a href="https://www.isc2.org/Research/Hiring-Top-Cybersecurity-Talent">https://www.isc2.org/Research/Hiring-Top-Cybersecurity-Talent</a> (last visited May 25, 2021).
---------------------------------------------------------------------------
Private sector employers have adjusted to the evolving nature of
cybersecurity work, careers, and work arrangements by adopting new
person- and skill-focused talent management practices that enable them
to compete for critical talent. Such new practices include: Proactive
recruitment to identify and seek out individuals who could be
successful at cybersecurity work, even if they have never held a job in
the field; eliminating traditional job requirements, like academic
degrees, to avoid unnecessarily limiting applicant pools; and providing
training to help employees keep skills current.\77\
---------------------------------------------------------------------------
\77\ See e.g., (ISC)\2\, Strategies for Building and Growing
Strong Cybersecurity Teams, (ISC)\2\ Cybersecurity Workforce Study,
2019, available at <a href="https://www.isc2.org/Research/2019-Cybersecurity-Workforce-Study">https://www.isc2.org/Research/2019-Cybersecurity-Workforce-Study</a> (last visited May 25, 2021); Emil Sayegh, As the End
of 2020 Approaches, The Cybersecurity Talent Drought Gets Worse,
Forbes, Sep. 22, 2020, available at <a href="https://www.forbes.com/sites/emilsayegh/2020/09/22/as-the-end-of-2020-approaches-the-cybersecurity-talent-drought-gets-worse/?sh=104825545f86">https://www.forbes.com/sites/emilsayegh/2020/09/22/as-the-end-of-2020-approaches-the-cybersecurity-talent-drought-gets-worse/?sh=104825545f86</a> (last
visited May 25, 2021).
---------------------------------------------------------------------------
DHS can address its historical and ongoing challenges recruiting
and retaining cybersecurity talent by designing a new talent management
system with a focus on the individual and individuals' skills. To do
so, DHS must create qualified positions based on individuals and
skills. DHS must design and operate recruitment, application, and
hiring processes to identify individuals with necessary skills as well
as individuals likely to perform DHS cybersecurity work successfully,
including those starting their careers who show promise and have an
interest in public service. DHS must also design and operate a
compensation system providing flexibility to adjust to cybersecurity
talent market demands and recognize how employees influence and
contribute to the cybersecurity mission. DHS can do this under the
authority and exemptions in 6 U.S.C. 658, especially the Secretary's
broad authority and discretion for designating and establishing
qualified positions and the exemption relating to classification of
employees.
2. Outdated, Rigid Position Classification Inadequately Describes
Cybersecurity Work
Instead of using position classification methods and related talent
management
[[Page 47854]]
practices, DHS must create a new work valuation system that recognizes
that cybersecurity work is constantly evolving and that the performance
of cybersecurity work is highly dependent on the skills of individuals.
Traditional Federal position classification serves as the
foundation for many existing Federal civilian talent management
practices and provides structures that influence talent management for
much of the Federal civil service across agencies. The design and
operation of traditional Federal position classification methods,
however, presume that mission requirements, technology, fields of work,
and position duties are generally static and stable.\78\ Traditional
Federal position classification is based on the core concepts that
Federal work is largely predictable and can be defined and valued using
the same processes regardless of mission, the nature of the work, or
the individual performing the work.\79\
---------------------------------------------------------------------------
\78\ U.S. Government Accountability Office reports: Human
Capital: OPM Needs to Improve the Design, Management, and Oversight
of the Federal Classification System, GAO-14-677 (July 2014) 14-18;
Human Capital: Opportunities to Improve Executive Agencies' Hiring
Process, GAO-03-450 (May 2003), 14.
\79\ Joseph W. Howe, History of the General Schedule
Classification System, prepared for the U.S. Office of Personnel
Management, Final Report FR-02-25 (Mar. 2002) (Howe Final Report FR-
02-25) 8, 91, 93.
---------------------------------------------------------------------------
Traditional Federal position classification methods are too rigid
and outdated for cybersecurity talent management at DHS because they
cannot effectively describe and support the ever-evolving cybersecurity
work associated with DHS's dynamic cybersecurity mission. Traditional
Federal position classification has been the foundation of most Federal
civilian talent management practices since the GS position
classification system was established in the Classification Act of
1949,\80\ which was based on the first law regarding work valuation,
the Classification Act of 1923.\81\ While the core concepts and major
features of the GS position classification system were established
almost 100 years ago, they have remained largely unchanged. Notably,
classification reform was excluded from the largest transformation of
Federal talent management in the last 50 years, the Civil Service
Reform Act of 1978.\82\
---------------------------------------------------------------------------
\80\ Public Law 81-429 (Oct. 28, 1949).
\81\ Public Law 67-516 (Mar. 4, 1923). The purpose of the
Classification Act of 1949 was to improve the design and
administration of the work valuation system from 1923 and improve
the pay plan that developed around the 1923 work valuation system.
See Howe Final Report FR-02-25 at 1. The Classification Act of 1923
was repealed by the Classification Act of 1949, and that Act was
repealed in 1966 by the law enacting Title 5 and codifying the
provisions of the Classification Act of 1949 in 5 U.S.C. Chapters 51
and 53. See Public Law 89-544 (Aug. 1966).
\82\ Public Law 95-454 (Oct. 1978); Howe Final Report FR-02-25
at 148 (``The cumulative effect of the new statute and the
reorganization [the Civils Service Reform Act of 1978 and the
Reorganization Plan No. 2 of 1978] was to change virtually every
aspect of personnel management--except for job evaluation under the
General Schedule and the Federal Wage System, both of which were
untouched by civil service reform'').
---------------------------------------------------------------------------
Traditional Federal position classification primarily focuses on
the work of a position and minimally accounts for the individual or the
individual's skills, including how the individual's skills may
influence the performance of work. For decades scholars and
practitioners have discussed the problems with traditional Federal
position classification's ability to describe knowledge work,\83\
particularly when multiple disciplines are applied by one position or
individual and when work assignments change quickly. For example, the
U.S. Government Accountability Office (GAO) recently highlighted that,
almost since the inception of the GS position classification system in
1949, critics have raised questions about its ability to keep pace with
the evolving nature of government work.\84\ GAO had previously
explained: ``The classification process and standard job
classifications were generally developed decades ago when typical jobs
were more narrowly defined and, in many cases, were clerical or
administrative. However, today's knowledge-based organizations' jobs
require a broader array of tasks that may cross over the narrow and
rigid boundaries of job classification.'' \85\ GAO emphasized that
under traditional Federal position classification, ``the resulting job
classifications and related pay might not match the actual duties of
the job. This mismatch can hamper efforts to fill the positions with
the right people.'' \86\
---------------------------------------------------------------------------
\83\ Knowledge work involves problem solving and leveraging a
worker's knowledge to accomplish the work, which may be in the form
of a job, process, task, or goal. Knowledge work is contrasted with
manual work that involves simple unskilled motions, and adding
knowledge to that manual work influences the way the motions are put
together organized and executed. See Peter F. Drucker, Knowledge
Worker Productivity: The Biggest Challenge, 41 California Management
Review 79 (Winter 1999).
\84\ U.S. Government Accountability Office reports: Federal
Workforce: Talent Management Strategies to Help Agencies Better
Compete in a Tight Labor Market, GAO-19-723T (Sept. 2019), 5;
Priority Open Recommendations: Office of Personnel Management, GAO-
19-322SP (Apr. 2019), 2; and Human Capital: OPM Needs to Improve the
Design, Management, and Oversight of the Federal Classification
System, GAO-14-677 (July 2014), GAO Highlights section.
\85\ U.S. Government Accountability Office, Human Capital:
Opportunities to Improve Executive Agencies' Hiring Process, GAO-03-
450 (May 2003), 14.
\86\ Id.
---------------------------------------------------------------------------
Additionally, position classification standards, which supply the
criteria for classifying positions, describe work as it existed and was
performed throughout Federal agencies at the time the standards were
developed.\87\ Rigid position classification standards are not--and
have never been--able to adequately support the emerging field of
cybersecurity or keep pace with rapid changes in how cybersecurity work
is performed. For example, the first position classification standards
for the digital computer occupation were published in 1958, but ``rapid
changes in technology'' necessitated updates to those newly published
standards only one year later in 1959.\88\ Decades later in 1989, the
Merit System Protection Board highlighted that Federal computer-focused
work was subject to more rapid change than work in other fields.\89\
Despite such findings, updates to position classification standards
related to cybersecurity have remained infrequent, even as
technological change has accelerated.\90\ Currently, a classification
determination using outdated position classification standards dictates
a cybersecurity position's salary under Title 5 and such a
determination also constricts potential future salary for any
individual appointed to the position.\91\ Existing position
classification methods cannot accommodate or address significant
changes in the cybersecurity work of such a position or easily
acknowledge changes in the skills needed to perform the work.\92\
---------------------------------------------------------------------------
\87\ U.S. Office of Personnel Management, Introduction to the
Position Classification Standards (2009), 20.
\88\ Howe Final Report FR-02-25 at 78.
\89\ Id. at 283.
\90\ See e.g., U.S. Office of Personnel Management, Job Family
Standard for Administrative Work in the Information Technology
Group, 2200, (May 2001, revised Aug. 2003, Sept. 2008, May 2011,
Oct. 2018) (documenting that in the first two decades of the 21st-
century this classification standard was updated only four times,
and before May 2001, the predecessor Computer Specialist Series, GS-
334, which covered the majority of two-grade interval work in this
field, was last revised in July 1991).
\91\ U.S. Office of Personnel Management, A Fresh Start for
Federal Pay: The Case for Modernization, (Apr. 2002), 27 (``In the
Federal Government, job evaluation points = grade = base pay. Under
this approach, job evaluation does not simply inform base pay; it
dictates base pay) (emphasis original).
\92\ Id. (``The [Federal compensation] system's architecture and
guidelines do not permit Federal agencies to allow non-
classification factors--such as the importance of the work to the
employing agency, salaries paid by competing employers, turnover
rates, and added value derived from employees acquiring additional
competencies applicable to the same level of work--to influence base
pay, other than by notable exception.'')
---------------------------------------------------------------------------
[[Page 47855]]
Congress has long recognized the role traditional Federal position
classification plays in hampering flexibility and innovation when
addressing recruitment and retention challenges. As part of authorizing
a series of human capital flexibilities for civilian intelligence
organizations in DOD in the 1980s, now consolidated within the DOD
DCIPS authority,\93\ Congress included an exemption from laws relating
to ``classification'' for those DOD organizations.\94\ This
classification exemption in the DCIPS predecessor authorities is the
origin of the similar exemption relating to classification in 6 U.S.C.
658(b)(1)(B).\95\ Nearly 40 years ago, in the legislative history for
one of the DOD DCIPS predecessor authorities, Congress recognized that
the Defense Intelligence Agency ``must be able to compete effectively
in the job market for these skills [in foreign intelligence analysis]
and offer rewarding career prospects to retain personnel.'' \96\
Congress also recognized: ``Intelligence personnel management systems
also need to be flexible to adjust to changing intelligence interests
as driven by a dynamic world environment.'' \97\ In this legislative
history, Congress specifically called out the classification exemption
stating: ``Classification authority would be granted to permit
establishment of compensation based on individual capabilities and to
ensure timely assignment and utilization of high quality personnel to
meet changing intelligence requirements.'' \98\
---------------------------------------------------------------------------
\93\ The DOD DCIPS authority was a consolidation of two
predecessor DOD authorities relating to civilian intelligence
personnel in 10 U.S.C. 1604 specific to the Defense Intelligence
Agency (DIA) and in 10 U.S.C. 1590 for other civilian intelligence
officers and employees. See National Defense Appropriations Act for
Fiscal Year1997 Public Law 104-201, Sec. 1632 and 1633(a) (Sept.
1996).
\94\ 10 U.S.C. 1590 (1995) and 10 U.S.C. 1604 (1995).
\95\ The DOD DCIPS exemption authority came from those two
predecessor DOD authorities, and the Sec. 658 exemption language
mirrors the DOD DCIPS exemption authority. See 10 U.S.C. 1590
(1995); 10 U.S.C. 1604 (1995); and 10 U.S.C. 1601(b) (2014).
\96\ S. Rep. 98-481, Authorizing Appropriation for Fiscal Year
1985 For Intelligence Activities of the U.S. Government, The
Intelligence Community Staff, the Central Intelligence Agency
Retirement and Disability System (CIARDS), and for other purposes,
Report [To accompany S. 2713] (May 24, 1984), 8.
\97\ Id.
\98\ Id. at 9.
---------------------------------------------------------------------------
The exemption relating to classification in 6 U.S.C. 658 exempts
DHS from traditional Federal position classification systems and
methods and allows DHS to establish a new work valuation system to
serve as a new foundation for new, specialized talent management
practices. A new work valuation system must have new structures to
adequately describe ever-evolving DHS cybersecurity work. It must also
support creating qualified positions based on cybersecurity skills and
the individuals with those skills and operating new talent management
practices for those positions. Importantly, a new work valuation system
is necessary for a new compensation system and must enable and support
new practices for providing competitive compensation.
3. Generic, Inflexible Compensation Limits Ability To Compete for
Cybersecurity Talent
Instead of existing compensation practices linked to traditional
Federal position classification, DHS needs a new, market-sensitive
salary system and an agile approach to providing other compensation for
cybersecurity talent. Current Federal civilian compensation practices
under Title 5 authority are designed to apply and be administered
across a range of agencies, missions, and types of work.\99\ DHS needs
a different compensation approach for the same reasons that DHS needs
to create a new work valuation system: To recognize that cybersecurity
work is constantly evolving and to recognize that the performance of
cybersecurity work is highly dependent on the skills of individuals.
Changing the underlying work valuation system of a talent management
system also necessitates changing the connected compensation
system.\100\
---------------------------------------------------------------------------
\99\ See generally, U.S. Office of Personnel Management, A Fresh
Start for Federal Pay: The Case for Modernization, (Apr. 2002), 31-
34.
\100\ Id. at 4-11.
---------------------------------------------------------------------------
Current compensation approaches for most positions in the Federal
civil service are based on the same core concepts as traditional
Federal position classification: Federal work is presumed to be largely
predictable and able to be described and valued using the same
processes regardless of mission, the nature of the work, or the
individual performing the work. Such Federal compensation approaches
use traditional Federal position classification structures, including
classes and grades, to facilitate systematic management of Federal
employees and address internal equity among similar positions across
Federal agencies.\101\ These structures ensure that positions are
described and paired with salary rates in a consistent manner using
generic salary structures, including the GS pay system, that apply
across myriad fields of work and cannot effectively account for an
individual's cybersecurity skills or the cybersecurity work an
individual performs.\102\ For example, the specific requirements for
salary progression under the GS pay schedule, including grade and step
increases, assume that an employee becomes better at work, more
qualified, and more valuable to an agency with each passing year.\103\
---------------------------------------------------------------------------
\101\ See generally, U.S. Office of Personnel Management, A
Fresh Start for Federal Pay: The Case for Modernization, (Apr.
2002), 26-30.
\102\ Id.
\103\ Id.
---------------------------------------------------------------------------
As discussed previously, however, cybersecurity work is constantly
changing and performance of DHS cybersecurity work depends on
individuals with mission-critical skills, which also change as
technology and threats change. Moreover, the cybersecurity skills that
are the most valuable to DHS today might not be as valuable to DHS in
five, ten, or 30 years. For example, DHS, like many cybersecurity
employers, now needs individuals with skills related to mobile
technology, cloud computing, the Internet of Things, embedded and
cyber-physical systems, blockchain, cryptocurrency and ransomware and
cyber extortion; the DHS cybersecurity mission did not require all
these skills and specializations ten or even five years ago.
Additionally, there is a specific, competitive talent market for
cybersecurity that comprises both cybersecurity talent, which is
individuals with cybersecurity skills, and cybersecurity employers,
including Federal agencies and private sector employers. As discussed
previously, the current demand for cybersecurity talent is high, and
the supply of cybersecurity talent is low.\104\ This relationship
between demand for and supply of cybersecurity talent causes
competition among employers for top cybersecurity talent, and as a
result, individuals with cybersecurity skills, especially uncommon
skills, have their choice of employment opportunities.\105\
---------------------------------------------------------------------------
\104\ See supra note 74.
\105\ See supra note 76.
---------------------------------------------------------------------------
In competing for top cybersecurity talent, DHS has the advantage of
its unique cybersecurity mission. DHS's cybersecurity mission offers
DHS cybersecurity talent the opportunity to work across organizations
and with key external partners and stakeholders to identify and
mitigate national cybersecurity risks. Unfortunately, DHS cannot
currently compete with compensation packages offered by many
[[Page 47856]]
private sector employers. DHS's ability to offer competitive
compensation to top cybersecurity talent, including individuals with
uncommon, mission-critical skills, is limited by generic Federal salary
structures, inflexible rules and practices for setting and adjusting
salaries, and inflexible rules and practices for providing other
compensation.
In contrast, many private sector employers can offer individuals
with cybersecurity expertise competitive starting salaries as well as
the possibility of more rapid raises and significant other
compensation, such as automatic signing bonuses.\106\ Many private
sector employers are also able to swiftly adjust their compensation
packages to recruit and retain top talent, and they do so with an
understanding of their major competitors and those competitors'
approaches to compensation. These private sector employers have
compensation strategies and techniques with built-in agility to respond
to business or market changes.\107\
---------------------------------------------------------------------------
\106\ See generally, U.S. Office of Personnel Management, A
Fresh Start for Federal Pay: The Case for Modernization, (Apr.
2002), 4-11, 18.
\107\ Id. at 6, 18.
---------------------------------------------------------------------------
In addition to salaries, compensation in the cybersecurity talent
market includes types of other compensation. DHS could offer other
compensation using the existing Federal compensation toolset; however,
it is both cumbersome to use and ineffective for constructing market-
sensitive compensation packages capable of recruiting highly-skilled
cybersecurity talent.\108\ That toolset comprises a complex set of
separate types of compensation for specific Federal talent management
situations and are not intended to form a cohesive set. For example,
there are multiple types of incentives and cash payments
available,\109\ and each type applies to a different recruitment or
retention situation and has different rules and requirements, including
approvals, amount limitations, and administration processes.\110\ This
incohesive toolset also is designed to complement generic Federal
salary structures, and much like those structures, it is designed to
apply and be administered across a range of agencies, missions, and
fields of work, and is not intended to be market-sensitive.\111\ To
construct a competitive compensation package, especially one that is
responsive to the talent market, requires piecing together these
separate types of compensation and attempting to do so in a timely
manner.
---------------------------------------------------------------------------
\108\ See, U.S. Office of Personnel Management, A Fresh Start
for Federal Pay: The Case for Modernization, (Apr. 2002), 4 (``The
divergence between the Federal pay system and the broader world of
work where the war for talent must be fought has led observers to
call for reform of the Federal system. To support achievement of the
Government's strategic goals, a new, more flexible system may be
called for, one that better supports the strategic management of
human capital and allows agencies to tailor their pay practices to
recruit, manage, and retain the talent to accomplish their
mission'').
\109\ See e.g., 5 U.S.C. 4502 (providing awards for a
suggestion, invention, superior accomplishment or other meritorious
effort); 5 U.S.C. 4503 (providing agency awards for special acts); 5
U.S.C. 4505a (providing performance-based awards for GS employees);
5 U.S.C. 4523 (providing foreign language capabilities awards for
law enforcement officers); and 5 U.S.C. 5753-5754 (providing
recruitment incentives, relocation incentives, and retention
incentives).
\110\ See id. For example, 5 U.S.C. 5753 and 5754 provides
incentives for recruitment, relocation, and retention, which are
commonly referred to as the ``3Rs''; however, the 3Rs have separate
requirements for each of specific situations.
\111\ See, U.S. Office of Personnel Management, A Fresh Start
for Federal Pay: The Case for Modernization, (Apr. 2002), 12-16.
---------------------------------------------------------------------------
The compensation authority in 6 U.S.C. 658, as well as the
exemptions relating to classification and compensation, allows DHS to
establish a new compensation system to effectively recruit and retain
cybersecurity talent by offering competitive compensation. And if DHS
is creating a new work valuation system, DHS must create a new
compensation approach that is based on that new work valuation system.
A new compensation system also must be based on cybersecurity skills,
people with those skills, and the value of those skills to DHS. Such an
approach to compensation must be informed both by DHS mission needs and
trends affecting compensation of individuals with cybersecurity skills
in the broader cybersecurity talent market. A new compensation system
must provide flexibility to adjust to cybersecurity talent market
demands and recognize mission impact, instead of rewarding longevity in
position or Federal government service; it must also provide
flexibility to consider an individual's total compensation and quickly
construct and nimbly adjust a competitive total compensation package.
IV. Discussion of the Rule
To address the Department's historical and ongoing challenges
recruiting and retaining cybersecurity talent, DHS is re-envisioning
talent management for 21st-century cybersecurity work under the
authority in 6 U.S.C. 658. The result is CTMS.
CTMS is a mission-driven, person-focused, and market-sensitive
approach to talent management. CTMS relies on new concepts and
definitions and features interrelated elements, which are new
processes, systems, and programs, that are based on leading public and
private sector talent management practices.
CTMS is designed to be responsive to the ever-evolving field of
cybersecurity and the dynamic DHS cybersecurity mission. This
innovative talent management approach is intended to support and remain
aligned to the cybersecurity work that executes the DHS cybersecurity
mission, even as technology, relevant expertise, and cybersecurity work
arrangements change.
The result of this approach to talent management is the DHS-CS. The
DHS-CS comprises qualified positions created under CTMS and employees
serving in those positions and covered by CTMS.
The DHS-CS is a new cadre within the broader DHS cybersecurity
workforce supporting execution of the DHS cybersecurity mission. The
DHS-CS is not intended to replace the DHS civilian employees and United
States Coast Guard Military personnel currently performing work
relating to cybersecurity.
DHS will first use CTMS and hire the first DHS-CS employees in the
Cybersecurity and Infrastructure Security Agency (CISA) and DHS Office
of the Chief Information Officer (DHS OCIO). DHS will operate CTMS in
work units consistent with its rights and obligations under the Federal
Service Labor Management Relations Statute. Additionally, 6 U.S.C.
658(e) prohibits the involuntary conversion of existing DHS employees
into the DHS-CS. Accordingly, current DHS employees will not be placed
into qualified positions or required to join the DHS-CS. All
individuals interested in supporting the DHS cybersecurity mission by
serving in the DHS-CS, including current DHS employees, other Federal
employees, and private citizens, must apply for employment under CTMS.
DHS is adding a new part 158 to Title 6 of the Code of Federal
Regulations to implement and govern CTMS and the DHS-CS. Part 158
contains several subparts setting forth the interrelated CTMS elements
that function together as a complete talent management system. The
subparts and sections in part 158 contain internal cross-references
indicating where one element of the system influences another element.
Subparts A and B of part 158 address the new approach to talent
management, new talent management concepts and CTMS-specific
definitions, and the
[[Page 47857]]
DHS-CS. Subpart C addresses CTMS and DHS-CS leadership. Subpart D
introduces the CTMS element of strategic talent planning that enables
CTMS to be mission-driven, person-focused, and market-sensitive.
Subparts E, F, G, and H address CTMS elements for acquiring talent,
compensating talent, deploying talent, and developing talent,
respectively. Subpart I addresses Federal civil service employee rights
and requirements that apply under CTMS and in the DHS-CS and Subpart J
addresses CTMS political appointments, known as advisory appointments.
New part 158 establishes CTMS and the DHS-CS and the policy
framework for both. Part 158 sets the parameters for how DHS will
administer CTMS and manage the DHS-CS. Internal DHS policy implementing
part 158 will provide operational detail. Part 158 implements the
Secretary's authority in 6 U.S.C. 658 and it is the Secretary or the
Secretary's designee who establishes and administers CTMS and
establishes and manages the DHS-CS. Part 158 also makes clear that it
is the Secretary or the Secretary's designee who establishes and
administers the CTMS elements, while it is the ``Department'' that
operates the elements. As defined in Sec. 158.104, the term
``Department'' means the Department of Homeland Security. In internal
DHS policy implementing part 158, the Secretary will, as necessary,
delegate authority and designate and delineate roles and
responsibilities for specific DHS organizations and officials.
A. New Approach to Talent Management: Subparts A & B
Subpart A in new 6 CFR part 158 addresses the design,
establishment, and coverage of CTMS and the DHS-CS, the authority for
part 158, and new talent management concepts and CTMS-specific
definitions. Subpart B in new part 158 addresses the DHS-CS and sets
out the main aspects of the DHS-CS and employment in the DHS-CS.
1. Subpart A--General Provisions
Part 158, subpart A, General Provisions, contains regulations
addressing the design and establishment of CTMS. CTMS encompasses the
definitions and processes, systems, and programs established under part
158. As stated in Sec. 158.101, CTMS is designed to recruit and retain
individuals with the qualifications necessary to execute the DHS
cybersecurity mission. CTMS is also designed to adapt to changes in
cybersecurity work, the cybersecurity talent market, and the DHS
cybersecurity mission.
Along with CTMS, DHS is establishing the DHS-CS. See Sec. 158.101.
As defined in Sec. 158.104, the DHS-CS comprises all qualified
positions designated and established under CTMS and all employees
appointed to qualified positions. DHS hires, compensates, and develops
DHS-CS employees using CTMS. Section 158.103 explains that part 158
covers CTMS, the DHS-CS, all individuals interested in joining the DHS-
CS, all DHS-CS employees, and all individuals involved in managing DHS-
CS employees and all individuals involved in any talent management
actions using CTMS.
The adaptable design of CTMS enables DHS to manage the DHS-CS with
a focus on mission-critical qualifications, even as cybersecurity work,
the cybersecurity talent market, and the DHS cybersecurity mission
change.
As discussed previously in III.A of this document, the authority in
6 U.S.C. 658, especially the authority and discretion for designating
and establishing qualified positions and the exemption from laws
relating to classification, enable DHS to create this new mission-
driven, person-focused, and market-sensitive approach. As also
discussed previously in III.B, DHS needs this new approach for 21st-
century cybersecurity work and to address DHS's challenges recruiting
and retaining cybersecurity talent.
(a) A New Type of Position: Qualified Positions
Under part 158, ``qualified position'' means CTMS qualifications
and DHS-CS cybersecurity work, the combination of which is associable
with an employee. See Sec. 158.104. The purpose of this conceptual
definition of qualified position is to capture the relationship between
CTMS qualifications and DHS-CS cybersecurity work: An individual with
those qualifications should be able to successfully and proficiently
perform that range of cybersecurity work. The cybersecurity work of a
qualified position represents a range of potential DHS cybersecurity
work, in acknowledgement that qualifications can be applied in a
variety of ways to produce a variety of work outcomes, including some
that are hard to predict or describe in detail in advance. DHS also
uses the term qualified position in the administration and operation of
CTMS to refer to the specific qualified position established for a DHS-
CS employee upon appointment. A DHS-CS employee's qualified position is
the employee's assessed CTMS qualifications and the range of work that
employee can successfully and proficiently perform with those
qualifications. When DHS documents a DHS-CS employee's qualified
position as part of recordkeeping under Sec. 158.706, DHS is
documenting that employee's CTMS qualifications and the employee's
related range of work.
DHS is creating qualified positions as a new type of Federal civil
service position with a focus on individuals and qualifications under
the Secretary's authority and discretion for designating and
establishing qualified positions and the exemption from laws relating
to classification in 6 U.S.C. 658. DHS is not using existing types of
positions defined under Chapter 51 position classification, or
processes from Title 5 or other laws, to create qualified positions.
As explained previously in III.C.1 of this document, under the
authority and exemptions in 6 U.S.C. 658, DHS may determine the use of
qualified positions and create such positions as new positions in the
excepted service. DHS may do so without regard to existing definitions
of positions, and how the concept of position is currently used, in
other Federal talent management systems. DHS designates and establishes
qualified positions based on the DHS cybersecurity mission and the
skills, or qualifications, individuals must possess to execute that
mission.
Designating and establishing qualified positions based on the DHS
cybersecurity mission and individuals' qualifications implements the
statutory definition and description of qualified position. Section 658
defines a qualified position as a position, designated by the
Secretary, in which the incumbent performs, manages, or supervises
functions that execute the responsibilities of DHS relating to
cybersecurity.\112\ The statute also describes qualified positions as
positions the Secretary, in establishing those positions, determines
are necessary to carry out DHS's cybersecurity responsibilities.\113\
In both instances, the statute vests substantial discretion in the
Secretary to determine which positions are qualified positions under
the statute. This rule retains that discretion.
---------------------------------------------------------------------------
\112\ 6 U.S.C. 658(a)(5).
\113\ 6 U.S.C. 658(b)(1)(A)(i).
---------------------------------------------------------------------------
Designating and establishing qualified positions as a new type of
position also implements the statutory description of establishing
qualified positions, which indicates they may be a type of position or
a category that includes several types of positions. The statutory
description of establishing qualified positions states
[[Page 47858]]
that qualified positions may include positions ``formerly identified
as'' SL/ST positions and SES positions.\114\ The ``formerly identified
as'' language identifies SL/ST positions and SES positions as examples
of types of positions the Secretary may designate and establish as
qualified positions.\115\ Thus, qualified positions may be similar to
SL/ST positions and SES positions, but these non-exhaustive examples do
not limit the Secretary to creating qualified positions only as SL/ST-
like positions and SES-like positions.\116\
---------------------------------------------------------------------------
\114\ 6 U.S.C. 658(a)(b)(1)(A)(i)(I)-(II).
\115\ Congress also explicitly excludes any ``qualified
positions'' established under 6 U.S.C. 658 from the definition of
``Senior Executive Position'' under Title 5. 5 U.S.C. 3132
(a)(2)(iii).
\116\ While the Secretary has broad authority and discretion to
create qualified positions, the Secretary may not create qualified
positions from existing DHS positions through the involuntary
conversion of positions, and DHS employees serving in those
positions, from the competitive service to the excepted service. 6
U.S.C. 658(e).
---------------------------------------------------------------------------
The Secretary or designee designates and establishes qualified
positions in the excepted service as the Secretary or designee
determines necessary for the most effective execution of the DHS
cybersecurity mission. See Sec. 158.203. Designating and establishing
qualified positions is discussed further in IV.A.2 of this document.
(b) A New Definition of ``Qualifications''
As mentioned previously, DHS is defining individuals' cybersecurity
skills as ``qualifications'' for purposes of designating and
establishing qualified positions. Individuals' cybersecurity skills
encompass a full array of characteristics and qualities that
distinguish talent.
Under part 158, ``qualification,'' means a quality of an individual
that correlates with the successful and proficient performance of
cybersecurity work, such as capability, experience and training, and
education and certification. See Sec. 158.104. A capability is a
cluster of interrelated attributes that is measurable or observable or
both. A capability under CTMS is analogous to a grouping of
competencies.\117\ Interrelated attributes under CTMS include
knowledge, skills, abilities, behaviors, and other characteristics.
---------------------------------------------------------------------------
\117\ OPM defines a competency as ``a measurable pattern of
knowledge, skills, abilities, behaviors and other characteristics
that an individual needs in order to perform work roles or
occupational functions successfully.'' Office of Personnel
Management, Delegated Examining Operations Handbook: A Guide for
Federal Agency Examining Offices (June 2019), page 2-13. Examples of
competencies include oral communication, flexibility, customer
service, and leadership. Id.
---------------------------------------------------------------------------
DHS must create its own qualifications for its unique cybersecurity
mission because the field of cybersecurity currently lacks formal,
universal standards for cybersecurity skills on which to base CTMS
qualifications. As discussed previously in III.B.1 of this document,
cybersecurity skills continue to change at a staggering pace because of
the ever-evolving nature of cybersecurity work. This rapid change
hampers professionalization in the field of cybersecurity, including
the establishment of universal standards for cybersecurity skills.\118\
Moreover, DHS's unique cybersecurity mission requires specialized
skills and specific combinations of those skills. Therefore, DHS needs
to identify, validate, and maintain its own set of qualifications
necessary to execute the DHS cybersecurity mission, including the
unique functions and responsibilities of DHS organizations.
---------------------------------------------------------------------------
\118\ See National Research Council, Professionalizing the
Nation's Cybersecurity Workforce?: Criteria for Decision-Making, The
National Academies Press (2013) available at <a href="https://doi.org/10.17226/18446">https://doi.org/10.17226/18446</a> (last visited May 25, 2021) (examining workforce
requirements for cybersecurity and the segments and job functions in
which professionalization is most needed; the role of assessment
tools, certification, licensing, and other means for assessing and
enhancing professionalization; and emerging approaches, such as
performance-based measure).
---------------------------------------------------------------------------
DHS identifies CTMS qualifications as part of the strategic talent
planning process. See Sec. Sec. 158.401 and 158.402. On an ongoing
basis, DHS identifies the functions that execute the DHS cybersecurity
mission, the cybersecurity work required to perform, manage, or
supervise those functions, and the qualifications necessary to perform
that work. DHS comprehensively identifies DHS cybersecurity work, and
identifies a set of qualifications necessary to perform that work. This
comprehensive set of CTMS qualifications reflects the collective
expertise necessary to execute the DHS cybersecurity mission.
With the assistance of both industrial and organizational
psychologists and DHS cybersecurity experts, DHS identifies, documents,
and verifies those qualifications. To ensure CTMS qualifications are
appropriately work-related, DHS identifies CTMS qualifications in
accordance with appropriate legal and professional guidelines, such as
the Uniform Guidelines on Employee Selection Procedures \119\ and the
Principles for the Validation and Use of Personnel Selection
Procedures.\120\
---------------------------------------------------------------------------
\119\ 29 CFR part 1607 and U.S. Equal Employment Opportunity
Commission, Questions and Answers to Clarify and Provide a Common
Interpretation of the Uniform Guidelines on Employee Selection
Procedures, EEOC-NVTA-1979-1 (Mar. 1, 1979).
\120\ American Psychological Association, Principles for the
Validation and Use of Personnel Selection Procedures, (5th Ed. Aug.
2018), available at <a href="https://www.apa.org/ed/accreditation/about/policies/personnel-selection-procedures.pdf">https://www.apa.org/ed/accreditation/about/policies/personnel-selection-procedures.pdf</a> (last visited May 25,
2021).
---------------------------------------------------------------------------
DHS organizes CTMS qualifications into broad categories defined
primarily in terms of capabilities, such as general professional
capabilities, cybersecurity technical capabilities, and leadership
capabilities. Such categories of capabilities are further defined using
proficiency standards or scales. Professional capabilities, such as
critical analysis, customer orientation, and effective communication,
are required in some capacity for all DHS cybersecurity work.
Cybersecurity technical capabilities, such as cybersecurity
engineering, digital forensics, and vulnerability assessment, are
required in different combinations and at different proficiency levels
for specific categories of cybersecurity work. For example, individuals
performing entry-level cybersecurity work often require very little
proficiency in technical capabilities to be successful, and those
performing expert-level, highly-specialized work often require a high
level of proficiency in one or more technical capabilities to be
successful. Cybersecurity work related to leading people and
organizations requires leadership capabilities, such as leading change,
leading organizations, and resource management, and DHS cybersecurity
senior leadership requires the highest levels of proficiency in such
capabilities.
CTMS qualifications derived from the dynamic DHS cybersecurity
mission are the core of CTMS and its elements. DHS determines which
individuals to recruit and retain based on the specific CTMS
qualifications they are likely to possess and have been demonstrated to
possess. CTMS qualifications are a key component of the work valuation
system, the talent acquisition system, the compensation system, the
performance management program, and the career development program,
each discussed subsequently in this document.
DHS is using qualifications as the core of CTMS and may do so under
the Secretary's authority and discretion for designating and
establishing qualified positions and the exemption from laws relating
to classification in 6 U.S.C. 658.
(c) Other Definitions
In subpart A, Sec. 158.104 defines terms used throughout part 158,
several of which incorporate new concepts and are specific to CTMS,
like qualified positions and qualifications, discussed
[[Page 47859]]
previously. Other new terms and definitions in Sec. 158.104 include
the following:
<bullet> ``Assignment'' means a description of a specific subset of
DHS cybersecurity work and a specific subset of CTMS qualifications
necessary to perform that work, the combination of which is associable
with a qualified position. This conceptual definition of assignment
connects the performance of particular work to broader qualifications
and cybersecurity work of a qualified position. DHS also uses the term
assignment in the administration and operation of CTMS to refer to and
document the details of a DHS-CS employee's current role related to the
cybersecurity mission. A DHS-CS employee's assignment is a description
of a specific subset of DHS-CS cybersecurity work, a specific subset of
the employee's CTMS qualifications, and how the employee is expected to
apply those qualifications to perform that work. Assignments are
discussed further in IV.A.2 of this document.
<bullet> ``CTMB'' means the Cybersecurity Talent Management Board
that assists the Secretary, or the Secretary's designee, in
administering CTMS and managing the DHS-CS. The Secretary or the
Secretary's designee appoints officials to serve on the CTMB and
designates the CTMB's Co-Chairs.
<bullet> ``Cybersecurity work'' means activity involving mental or
physical effort, or both, to achieve results relating to cybersecurity.
<bullet> ``DHS-CS cybersecurity work'' means the cybersecurity work
identified based on the DHS cybersecurity mission.
<bullet> ``DHS cybersecurity mission'' encompasses all
responsibilities of DHS relating to cybersecurity and is fully
described in Sec. 158.201.
<bullet> ``Mission impact'' means a DHS-CS employee's influence on
execution of the DHS cybersecurity mission through application of the
employee's CTMS qualifications to successfully and proficiently perform
DHS-CS cybersecurity work. Mission impact is a factor in DHS-CS
employee compensation, performance management, and development. Mission
impact is discussed further as part of the compensation system, the
performance management program, and the career development program in
IV.E and IV.G, of this document respectively.
<bullet> ``Anticipated mission impact'' means the influence DHS
anticipates an individual to have on execution of the DHS cybersecurity
mission based on the individual's CTMS qualifications and application
of those qualifications to successfully and proficiently perform DHS-CS
cybersecurity work. Anticipated mission impact of an individual
selected for appointment to a qualified position can be a factor in
providing compensation for that individual, including initial salary
and any recognition payment or recognition time-off offered as a
signing bonus. Anticipated mission impact is discussed further as part
of the compensation system in IV.E of this document.
<bullet> ``Mission-related requirements'' means characteristics of
an individual's expertise or characteristics of cybersecurity work, or
both (including cybersecurity talent market-related information), that
are (1) associated with successful execution of the DHS cybersecurity
mission, and that are (2) determined by officials with appropriate
decision-making authority. Mission-related requirements are relevant
for addressing emerging or urgent mission circumstances that are not
yet reflected in the set of CTMS qualifications, or that may be
temporary in nature, but need to be addressed nonetheless. Mission-
related requirements are a factor in salary setting and DHS-CS employee
recognition under the compensation system, matching DHS-CS employees
with assignments under the deployment program, and guiding DHS-CS
employee career progression under the career development program, all
discussed subsequently.
<bullet> ``Strategic talent priorities'' means the priorities for
CTMS and the DHS-CS set by the Secretary or the Secretary's designee on
an ongoing basis under Sec. 158.304. The Secretary or the Secretary's
designee uses strategic talent priorities for administering CTMS and
managing the DHS-CS. Strategic talent priorities inform strategic
recruiting under the talent acquisition system, salary setting and DHS-
CS employee recognition under the compensation system, matching DHS-CS
employees with assignments under the deployment program, and guiding
DHS-CS employee career progression under the career development
program, all discussed subsequently.
Other terms used throughout part 158 that are not necessarily new,
but are defined in Sec. 158.104 specific to CTMS include the
following:
<bullet> ``Additional compensation'' is several types of CTMS-
specific compensation and is described in Sec. 158.603(c) as
recognition, other special pay, and other types of compensation such as
leave and benefits. Note that benefits for Federal employees provided
under Title 5, such as leave and retirement, are usually treated as
separate from Federal pay or compensation, but under 6 U.S.C. 658
benefits are explicitly considered compensation.\121\
---------------------------------------------------------------------------
\121\ 6 U.S.C. 658(b)(3)(A) (``compensation (in addition to
basic pay), including benefits, incentives, and allowances'').
---------------------------------------------------------------------------
<bullet> Appointment types under CTMS are: ``renewable
appointment,'' ``continuing appointment,'' and ``advisory
appointment.'' Each type of appointment is analogous to a type of
appointment under Title 5 and is discussed further in IV.C.3. of this
document.
<bullet> ``Cybersecurity talent market'' means the availability, in
terms of supply and demand, of talent relating to cybersecurity and
employment relating to cybersecurity, including at other Federal
agencies such as DOD. DHS analyzes the cybersecurity talent market to
identify and monitor employment trends and to identify leading
strategies for recruiting and retaining cybersecurity talent. That
analysis is part of the strategic talent planning process and informs
the compensation system, discussed subsequently.
<bullet> ``Salary'' means an annual rate of pay under CTMS and is
basic pay for purposes under Title 5. Note that instead of the term
basic pay, the term salary is used to describe a DHS-CS employee's
annual rate of pay.
<bullet> ``Talent management'' means a systematic approach to
linking employees to mission and organizational goals through
intentional strategies and practices for hiring, compensating, and
developing employees. DHS purposefully uses the term talent management
for CTMS because of its focus on people and its association with
integrated, strategic approaches to recruitment and retention of talent
in alignment with organizational goals. This contrasts with traditional
Federal terms, such as human resources and personnel management, which
are often characterized by tactical execution of administrative
processes and compliance activities. Note, however, that a ``talent
management action'' under CTMS has the same meaning as ``personnel
action'' under Title 5.
<bullet> ``Work level'' means a grouping of CTMS qualifications and
DHS-CS cybersecurity work with sufficiently similar characteristics to
warrant similar treatment in talent management under CTMS. For example,
similar characteristics may include level or type of technical
expertise or a level or type of leadership responsibility. Work level
is one of the work and career structures established by the new work
valuation system, and is discussed further in IV.C.3 of this document.
[[Page 47860]]
<bullet> ``Work valuation'' means a methodology through which an
organization defines and evaluates the value of work and the value of
individuals capable of performing that work. Under CTMS, DHS uses the
new person-focused work valuation system instead of the GS or another
traditional Federal position classification system based on 5 U.S.C.
Chapter 51.
Other terms used throughout part 158 with definitions set forth in
Sec. 158.104 include ``DHS-CS employee,'' and ``DHS-CS advisory
appointee,'' and other terms already defined in law, such as
``cybersecurity risk,'' ``cybersecurity threat,'' and ``functions,''
which are defined in Title 6 of the U.S. Code. An additional term
defined in Sec. 158.104 is ``CTMS policy,'' which is internal DHS
policy, and means DHS's decisions implementing and operationalizing the
regulations in part 158, and includes directives, instructions, and
operating guidance and procedures for DHS employees.
(d) Authority & Policy Framework
In subpart A, Sec. 158.102 states that 6 U.S.C. 658 is the
authority for part 158 and CTMS and explains the scope of that
authority. As discussed in III.C of this document, DHS has broad
authority to design and establish CTMS as a new approach to talent
management and establish the resulting DHS-CS. By statute, the
Secretary's authority ``applies without regard to the provisions of any
other law relating to the appointment, number, classification, or
compensation of employees.'' See 6 U.S.C. 658(b)(1)(B). Consistent with
this authority, Sec. 158.102 explains that part 158 supersedes all
other provisions of law and policy relating to appointment, number,
classification, or compensation of employees that conflict with 6
U.S.C. 658, the regulations in part 158, or CTMS policy implementing
part 158. Also, subparts C, D, E, and F each contain a section that
lists specific provisions of other laws that, under the exemption in 6
U.S.C. 658 regarding appointment, number, classification, and
compensation of employees, are inapplicable under CTMS. See Sec. Sec.
158.405, 158.502, 158.605, and 158.709.
Section 158.102 also explains that some compensation under CTMS is
provided in accordance with other provisions of law, including OPM
regulations, but that CTMS compensation is only authorized under part
158. Additionally, Sec. 158.102 explains that when some CTMS
compensation is provided in accordance with relevant provisions of
other laws, including OPM regulations, DHS follows those other
provisions to the extent compatible with talent management under CTMS.
To maintain the integrity of CTMS, DHS may need to modify application
of relevant provisions of other laws regarding compensation for the
DHS-CS. This is because some of the terms, or concepts, used in those
other relevant provisions are not used under CTMS, and DHS may have to
extrapolate between those terms and concepts and CTMS terms and
concepts to apply those other provisions.
The regulations in part 158 set up the policy framework for CTMS
and the DHS-CS, and DHS administers CTMS and manages the DHS-CS under
part 158 and CTMS policy implementing part 158, which is internal DHS
policy. See Sec. 158.101. If DHS determines additional provisions of
other laws or policy concerning Federal employment apply under CTMS,
DHS will implement those other laws or policy in CTMS policy. When any
talent management situation or emerging issue regarding the DHS-CS
needs clarification, DHS will do so in CTMS policy.
Section 158.102 also includes a preservation of authority clause to
ensure it is clear that nothing in part 158 shall be deemed or
construed to limit the authority under 6 U.S.C. 658 and any further
implementation or interpretation of that authority. If DHS determines
any such implementation or interpretation necessitates a change in part
158, DHS will issue an amendment to this rule.
2. Subpart B--DHS Cybersecurity Service
Subpart B, DHS Cybersecurity Service, contains regulations
addressing the DHS cybersecurity mission and the DHS-CS. Regulations in
subpart B also explain the main aspects of employment for DHS-CS
employees, including assignments in the DHS-CS. This subpart provides
an overview of CTMS from an applicant or DHS-CS employee perspective
and provides references to other rule sections for more information.
This subpart explains generally the mission-driven, person-focused,
market-sensitive approach that DHS is establishing under the authority
and exemptions in 6 U.S.C. 658.
(a) Mission
The DHS cybersecurity mission drives talent management under CTMS
and Sec. 158.201 describes the DHS cybersecurity mission for purposes
of CTMS. This mission encompasses all responsibilities of DHS relating
to cybersecurity. It is dynamic to keep pace with the evolving
cybersecurity risks and cybersecurity threats facing the Nation and to
adapt to any changes in DHS's cybersecurity responsibilities.
As part of establishing CTMS, DHS is also establishing the DHS-CS,
the purpose of which is to enhance the cybersecurity of the Nation
through the most effective execution of the DHS cybersecurity mission.
See Sec. 158.202. The DHS-CS comprises all qualified positions
designated and established under CTMS and all employees serving in
qualified positions.
(b) Qualified Positions
DHS designates qualified positions under the deployment program,
described in Sec. 158.701. See Sec. 158.203. Designating qualified
positions is part of determining whether DHS needs to use CTMS to
recruit and retain individuals possessing CTMS qualifications. The
process of designating qualified positions is set out in Sec. 158.702.
This process, and the deployment program generally, are discussed
further in IV.F of this document.
DHS establishes qualified positions under the talent acquisition
system, described in Sec. 158.501, by appointing an individual to a
previously designated qualified position. See Sec. 158.203. DHS
establishes and fills qualified positions concurrently. The talent
acquisition system, and the processes for assessing, selecting, and
appointing an individual, are discussed further in IV.D of this
document.
(c) DHS-CS Employees
All employees serving in qualified positions are DHS-CS employees
and all DHS-CS employees are in the excepted service. DHS hires,
compensates, and develops DHS-CS employees using CTMS. See Sec.
158.204. DHS manages the DHS-CS based on DHS-CS core values of
expertise, innovation, and adaptability, set out in Sec. 158.305 and
discussed subsequently.
DHS-CS employees execute the DHS-CS cybersecurity mission by
applying their CTMS qualifications to perform the DHS-CS cybersecurity
work of their assignments. See Sec. 158.204. Successful and proficient
performance of that work results in mission impact, which is defined in
Sec. 158.104 as the employee's influence on the DHS cybersecurity
mission. DHS reviews and recognizes a DHS-CS employee based on the
employee's mission impact. See Sec. Sec. 158.204, 158.630, and
158.805.
DHS provides compensation to DHS-CS employees in alignment with the
CTMS compensation strategy, and compensation under CTMS includes both
salary and additional
[[Page 47861]]
compensation. See Sec. Sec. 158.204, 158.601, and 158.603. Also, DHS
strategically and proactively recruits individuals for employment in
the DHS-CS, and DHS guides the development and career progression of
DHS-CS employees. See Sec. Sec. 158.204, 158.510, and 158.803.
(d) DHS-CS Assignments
As explained in Sec. 158.205, each DHS-CS employee has one or more
assignments during the employee's service in the DHS-CS.
Each DHS-CS employee receive an initial assignment upon appointment
to a qualified position. See Sec. Sec. 158.205 and 158.703. A DHS-CS
employee may later receive a subsequent assignment, but a DHS-CS
employee may only have one assignment at a time.
DHS designates and staffs assignments under the deployment program.
See Sec. Sec. 158.205 and 158.703. The deployment program, and the
processes for designating and staffing assignments, is discussed
further in IV.F of this document.
B. CTMS and DHS-CS Leadership: Subpart C
Subpart C, Leadership, sets up the leadership structure for
administering CTMS, including the Cybersecurity Talent Management Board
(CTMB). Subpart C also contains regulations addressing the influence of
the merit system principles on CTMS and the DHS-CS, and establishing
strategic talent priorities and DHS-CS core values.
1. Leaders
As stated in Sec. 158.301, the Secretary, or the Secretary's
designee, is responsible for administering CTMS and managing the DHS-
CS. This includes establishing and maintaining CTMS policy implementing
part 158.
The Cybersecurity Talent Management Board (CTMB) assists the
Secretary, or the Secretary's designee, in administering CTMS and
managing the DHS-CS. See Sec. 158.301. The CTMB comprises officials
representing DHS organizations involved in executing the DHS
cybersecurity mission and officials responsible for developing and
administering talent management policy. See Sec. 158.302. The
Secretary or the Secretary's designee appoints officials to serve on
the CTMB and designates the CTMB's Co-Chairs.
The CTMB shapes and monitors CTMS and the DHS-CS. The CTMB
periodically evaluates whether CTMS is recruiting and retaining
individuals with the qualifications necessary to execute the DHS
cybersecurity mission. See Sec. 158.302. The CTMB may use information
from this evaluation to recommend, or make, adjustments to CTMS, which
may include improvements to the administration or operation of CTMS
elements and practices. The CTMB may designate an independent evaluator
to conduct an evaluation, as necessary.
2. Principles, Priorities, and Core Values
The Secretary or Secretary's designee, with assistance from the
CTMB, administers CTMS and manages the DHS-CS based on: Talent
management principles that address merit system principles, advancing
equity, and equal employment opportunity; strategic talent priorities
for CTMS and the DHS-CS; and DHS-CS core values. These principles,
priorities, and core values are set out in Sec. Sec. 158.303 through
158.305.
As stated in Sec. 158.303, CTMS is designed and administered based
on the core Federal talent management principles of merit and fairness
embodied by the merit system principles in 5 U.S.C. 2301(b). While CTMS
is an innovative approach to talent management, featuring new,
specialized practices not present in many Federal civilian personnel
systems, CTMS remains a merit system in which Federal employment is
based on merit and individual competence instead of political
affiliation, personal relationships, or other non-merit factors. CTMS
features elements and practices for acknowledging individuals'
qualifications and ensuring individuals are treated equitably based on
merit and for ensuring DHS-CS employees are managed in the public
interest. Additionally, the prohibited personnel practices in 5 U.S.C.
2302(b) apply to CTMS and the individuals covered by CTMS.
In addition to the influence of the merit system principles and
application of prohibited personnel practices, CTMS is designed, and
administered, and DHS manages the DHS-CS, in accordance with applicable
anti-discrimination laws and policies. See Sec. 158.303. Talent
management actions under CTMS that materially affect a term or
condition of employment must be free from discrimination. See Sec.
158.303. Through such commitment to anti-discrimination, DHS aims to
reinforce the design of CTMS as a merit system, in which all
individuals, including those belonging to underserved communities that
have been denied consistent and systematic fair, just, and impartial
treatment in cybersecurity and Federal employment historically, are
treated equitably and without discrimination. In alignment with
Executive Order 13985, underserved communities for which DHS seeks to
ensure equal employment opportunity include Black, Latino, and
Indigenous and Native American persons, Asian Americans and Pacific
Islanders and other persons of color; members of religious minorities;
lesbian, gay, bisexual, transgender, and queer (LGBTQ+) persons;
persons with disabilities; persons who live in rural areas; and persons
otherwise adversely affected by persistent poverty or inequality.
Under Sec. 158.304, the Secretary or Secretary's designee, with
assistance from the CTMB, sets strategic talent priorities for CTMS and
the DHS-CS on an ongoing basis using a variety of information.
Importantly, information from strategic talent planning is used to set
strategic talent management priorities. As discussed subsequently, this
is information that is generated by the strategic talent planning
process and its underlying processes, as well as information from
administering CTMS. Setting strategic talent priorities based on the
types of information aggregated in strategic talent planning ensures
that such priorities reflect the latest strategic information about the
DHS cybersecurity mission, cybersecurity work, and the cybersecurity
talent market. Other information used in setting strategic talent
priorities is information from DHS financial planning and strategic
planning, and DHS priorities outside of CTMS and the DHS-CS. Strategic
talent priorities are reviewed and updated to ensure that CTMS is
administered and the DHS-CS is managed in a manner that addresses the
latest DHS priorities, which may include making adjustments based on
new mission or market demands.
Under part 158, strategic talent priorities inform overall
administration of CTMS and management of the DHS-CS, as well as
specifically influence strategic recruiting under the CTMS talent
acquisition system, DHS-CS employee recognition under the CTMS
compensation system, matching DHS-CS employees with assignments under
the CTMS deployment program, and guiding DHS-CS employee career
progression under the CTMS career development program.
The Secretary or Secretary's designee, with assistance from the
CTMB, also administers CTMS and manages the DHS-CS using DHS-CS core
values. As set out in Sec. 158.305, those values are expertise,
innovation, and adaptability. These core values reinforce the design
and purpose of CTMS: Adapting to changes in cybersecurity work, the
cybersecurity talent market, and the
[[Page 47862]]
DHS cybersecurity mission. DHS-CS employees require expertise,
innovation, and adaptability to keep pace with the ever-evolving nature
of cybersecurity work and DHS's dynamic cybersecurity mission, as well
as to remain competitive in the talent market. These core values, and
managing the DHS-CS using them, also underscores the expectation of
continual learning for DHS-CS employees. DHS-CS core values influence
the CTMS performance management program and CTMS career development
program, and are embedded in the CTMS compensation strategy, all
discussed subsequently.
C. Strategic Talent Planning: Subpart D
Subpart D, Strategic Talent Planning, contains regulations
addressing how DHS establishes and administers a strategic talent
planning process to enable CTMS to adapt to changes in cybersecurity
work, the cybersecurity talent market, and the DHS cybersecurity
mission. The strategic talent planning process comprises several
processes and systems by which DHS identifies CTMS qualifications and
DHS-CS cybersecurity work, analyzes the cybersecurity talent market,
and describes and values DHS-CS cybersecurity work, while also
aggregating information to inform the overall administration of CTMS
and management of the DHS-CS. See Sec. 158.401.
The design of CTMS, especially the strategic talent planning
process, implements the Secretary's broad discretion to determine how
to create and use qualified positions, discussed previously in III.A.1
of this document.
1. DHS-CS Cybersecurity Work & CTMS Qualifications Identification
As discussed previously, CTMS qualifications are the core of CTMS,
and CTMS qualifications are derived from the DHS cybersecurity mission.
DHS identifies CTMS qualifications as part of the strategic talent
planning process. As part of the strategic talent planning process, DHS
identifies the functions that execute the DHS cybersecurity mission, as
well as the cybersecurity work required to perform, manage, or
supervise those functions, and the set of qualifications necessary to
perform that work. See Sec. 158.301. On an ongoing basis, DHS updates
this comprehensive set of CTMS qualifications to ensure it reflects the
dynamic DHS cybersecurity mission and the collective expertise
necessary to execute that mission.
Also, as discussed previously, DHS identifies CTMS qualifications
in accordance with applicable legal and professional guidelines
governing the assessment and selection of individuals. Doing so ensures
the qualifications identified are appropriately work-related and do not
disproportionately or improperly impact protected individuals or
groups.
2. CTMS Talent Market Analysis
As part of the strategic talent planning process, DHS conducts
analysis of the cybersecurity talent market on an ongoing basis. See
Sec. 158.403. The analysis includes reviewing data on cybersecurity
talent across the Nation such as aggregated salary and total
compensation data in compensation surveys.\122\ As part of market
analysis, DHS makes compensation comparisons and considers salaries as
well as types of additional compensation, including bonuses and
benefits. By examining total compensation or total rewards, which may
also include non-monetary, work-life balance benefits, DHS is better
able to more accurately compare features of the CTMS compensation
system with features of the total compensation or total rewards
programs of other cybersecurity employers, including private sector
organizations.
---------------------------------------------------------------------------
\122\ See e.g., Pearl Meyer, 2020 Cyber Security Salary Survey,
available for purchase at <a href="https://www.pearlmeyer.com/knowledge-share/research-report/2020-cyber-security-compensation-survey">https://www.pearlmeyer.com/knowledge-share/research-report/2020-cyber-security-compensation-survey</a> (last
visited May 25, 2021).
---------------------------------------------------------------------------
DHS conducts analysis of the cybersecurity talent market using
generally recognized compensation principles and practices. See Sec.
158.403. Such principles and practices include fundamental concepts and
analytical methods often integrated into formal courses of study for
compensation practitioners.\123\ Such principles and practices are also
outlined in publications, intended to support compensation
practitioners when establishing a compensation philosophy, conducting
competitive compensation analysis, and developing compensation
structures and processes.\124\ Using these compensation principles and
practices ensures the design and administration of compensation
addresses DHS organizational goals and complies with legal
requirements, including those prohibiting discrimination in
compensation.
---------------------------------------------------------------------------
\123\ See e.g., eCornell, Compensation Studies Cornell
Certificate Program, available at <a href="https://ecornell.cornell.edu/certificates/human-resources/compensation-studies/">https://ecornell.cornell.edu/certificates/human-resources/compensation-studies/</a> (last visited May
25, 2021); SHRM, Foundations of Compensation, available at <a href="https://store.shrm.org/Foundations-of-Compensation">https://store.shrm.org/Foundations-of-Compensation</a> (last visited May 25,
2021); and WorldatWork, Certified Compensation Professional,
available at <a href="https://www.worldatwork.org/certification/Certified-compensation-professional">https://www.worldatwork.org/certification/Certified-compensation-professional</a> (last visited May 25, 2021).
\124\ See e.g., Barry Gerhart and Jerry Newman, Compensation
(13th Ed. 2020) available for purchase at <a href="https://www.mheducation.com/highered/product/compensation-gerhart-newman/M9781260043723.toc.html">https://www.mheducation.com/highered/product/compensation-gerhart-newman/M9781260043723.toc.html</a> (last visited May 25, 2021); WorldatWork,
The WorldatWork Handbook of Total Rewards: A Comprehensive Guide to
Compensation, Benefits, HR & Employee Engagement (2nd Ed.) available
for purchase at <a href="https://www.worldatwork.org/product/physical/the-worldatwork-handbook-of-total-rewards">https://www.worldatwork.org/product/physical/the-worldatwork-handbook-of-total-rewards</a> (last visited May 25, 2021).
---------------------------------------------------------------------------
DHS uses analysis of the cybersecurity talent market to identify
and monitor trends in both employment for and availability of talent
related to cybersecurity, including variations in the cost of talent or
the cost of living in local cybersecurity talent markets, or both.
Local cybersecurity talent markets are described in Sec. 158.612 as
the cybersecurity talent markets in geographic areas defined by DHS and
are discussed further in IV.D. of this document. DHS analyzes average
cost of talent because such cost can vary significantly in different
local cybersecurity talent markets. Similarly, variations in cost of
living can significantly influence how organizations compensate
cybersecurity employees in specific locations. DHS also uses analysis
of the cybersecurity talent market to identify leading strategies for
recruiting and retaining talent related to cybersecurity.
3. CTMS Work Valuation & Work and Career Structures
As part of the strategic talent planning process, DHS uses a new,
DHS-specific work valuation system to define and value DHS-CS
cybersecurity work, with a focus on qualifications necessary to perform
that work. See Sec. 158.404. As discussed previously in III.A.1 of
this document, under the authority in 6 U.S.C. 658 DHS may create a new
person-focused work valuation system. Although DHS is exempt from
traditional Federal position classification under 6 U.S.C. 658,
including the GS position classification system, DHS is choosing to use
a work valuation system to establish structures to facilitate
systematic management of DHS-CS employees and address internal equity.
Like traditional Federal position classification that influences many
aspects of talent management, especially compensation, the CTMS work
valuation system also influences many aspects of talent management
under CTMS.
Like traditional Federal position classification, the CTMS work
valuation system is a method of work valuation, but features different
core concepts and different practices. The GS position classification
system is a system of ``job
[[Page 47863]]
evaluation'' that describes work by delineating it into jobs defined in
terms of duties, responsibilities, and qualification requirements of a
position.\125\ As explained previously in III.B.2 of this document, the
GS position classification system accounts only minimally for the
individual or the individual's skills, including how the individual's
skills may influence the performance of work. Although GS position
classification is based on duties, responsibilities, and qualification
requirements of positions,\126\ ``the framers of the [GS] job
evaluation system meant the qualifications requirements inherent in the
work--an abstract concept--not the qualifications of specific
individuals.'' \127\
---------------------------------------------------------------------------
\125\ National Academy of Public Administration, Modernizing
Federal Classification: An Opportunity for Excellence (July 1991),
xix-xx.
\126\ 5 U.S.C. 5101(2).
\127\ Joseph W. Howe, History of the General Schedule
Classification System, prepared for the U.S. Office of Personnel
Management, Final Report FR-02-25 (Mar. 2002), 20.
---------------------------------------------------------------------------
The CTMS work valuation system is a system of ``work evaluation''
\128\ that describes cybersecurity work in more flexible, holistic
terms with a focus on the qualifications of individuals necessary to
perform DHS cybersecurity work. Creating a new system of work
valuation, instead of ``job evaluation,'' recognizes that ``jobs have
become more flexible, dependent upon the job incumbent,'' and that work
evaluation or valuation ``is a more encompassing concept than job
evaluation and better captures contributions of the job, person, or
team.'' \129\
---------------------------------------------------------------------------
\128\ Id.
\129\ Robert L. Heneman, Ph.D., Work Evaluation: Strategic
Issues and Alternative Methods, prepared for the U.S. Office of
Personnel Management, FR-00-20 (July 2000, Revised Feb. 2002), 2.
---------------------------------------------------------------------------
The CTMS work valuation system is a person-focused work valuation
system that DHS uses to determine the value or worth of a DHS-CS
employee to DHS based on the employee's qualifications.\130\ This is in
contrast to traditional Federal position classification or work
valuation methods that determine the value or worth of positions based
on the duties and responsibilities of the positions, regardless of the
person in the position.\131\ The design of the CTMS work valuation
system reflects that the DHS cybersecurity mission is dynamic,
cybersecurity work is constantly evolving, and that individuals and
their qualifications significantly influence how cybersecurity work is
performed. Especially for cybersecurity work, an individual can
dramatically alter how work is performed, including the tactics,
techniques, and procedures brought to bear and the quality and quantity
of outcomes produced.
---------------------------------------------------------------------------
\130\ The new work valuation system is similar to a rank-in-
person work valuation system, which determines the value or worth of
an employee to the organization based on the employee's skills. See
U.S. Government Accounting Office, Description of Selected Systems
for Classifying Federal Civilian Positions and Personnel, GGD-84-90
(July 1984), 5 (``Assigning Value to Persons''). The new work
valuation system, however, does not maintain a seniority-based or
time-based promotion process like rank-in-person systems. See Harry
J. Thie et al, Future Career Management Systems for U.S. Military
Officers, Santa Monica, CA: RAND Corporation, MR-470-OSD, prepared
for the Office of the Secretary of Defense (1994), 89-95 available
at <a href="https://www.rand.org/pubs/monograph_reports/MR470.html">https://www.rand.org/pubs/monograph_reports/MR470.html</a> (last
visited May 25, 2021).
\131\ U.S. Government Accounting Office, Description of Selected
Systems for Classifying Federal Civilian Positions and Personnel,
GGD-84-90 (July 1984), 1-2 (``The GS and FWS [Federal Wage Schedule]
are rank-in-position methods that assess the value of the job rather
than the job occupant'') and 5 (``Assigning Value to Positions'').
---------------------------------------------------------------------------
The CTMS work valuation system is based on the set of CTMS
qualifications and the DHS-CS cybersecurity work identified in the
strategic talent planning process. See Sec. 158.404. The work
valuation system recognizes that critical qualifications come and go
with individuals, not positions, and that individuals and the
qualifications they possess significantly influence how cybersecurity
work is performed. Individuals, through their respective and collective
qualifications, influence how problems are tackled, how long
initiatives take, and how effective new solutions are.
DHS uses the work valuation system to establish work and career
structures, such as work levels, titles, ranks, and specializations.
See Sec. 158.404. DHS establishes such work and career structures by
grouping and valuing qualifications and categories of qualifications
based on criticality to the DHS cybersecurity mission. DHS uses these
CTMS work and career structures instead of GS classes and grades and
other traditional Federal position classification job structures. Much
like the classes and grades established by the GS position
classification system, the work and career structures support a variety
of aspects of systematic talent management under CTMS.
DHS uses the work and career structures to organize other elements
of CTMS and to ensure those other elements maintain a consistent focus
on qualifications. DHS uses such work and career structures to describe
and categorize DHS-CS employees, qualified positions, assignments, and
cybersecurity work. For example, the description of an individual's
qualified position includes a work level, such as early-career or
executive, and a title, such as Cybersecurity Specialist or
Cybersecurity Executive.
Importantly, DHS uses the work and career structures as part of the
CTMS compensation system, discussed subsequently, in determining
compensation for individuals in qualified positions with a focus on
CTMS qualifications. For example, in setting an individual's initial
salary, DHS considers applicable work and career structures, including
the individual's work level. See Sec. 158.620.
DHS may also use the work and career structures for budget and
fiscal purposes related to administering CTMS and managing the DHS-CS.
See Sec. 158.404. This is analogous to how agencies use GS grades and
occupations to inform resource planning processes.
As discussed in III.A.1 of this document, the authority in 6 U.S.C.
658 to create a new talent management system is exempt from the GS
position classification system, and other work valuation systems
relying on position classification based on 5 U.S.C. Chapter 51. As
such, Sec. 158.405 states that Chapter 51 and related laws do not
apply under CTMS or to the DHS-CS or to talent management under CTMS.
4. Informing CTMS Administration and DHS-CS Management
DHS aggregates information generated in the processes and systems
that are part of the strategic talent planning process in order to
inf
[…truncated; see source link]Indexed from Federal Register on August 26, 2021.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.