Skip to Main Content

DOD Shifts Cyber Workforce Strategy to Prioritize Skills Over Pedigree

Defense officials and experts say that hiring and maintaining cyber talent is critical to national security.  

4m read
Written by:
Defense Department officials said that they are looking to hire and retain cyber talent.
Defense Department officials said that they are looking to hire and retain cyber talent. Photo Credit: Air Force Staff Sgt. John Wright

The Defense Department is shifting its personnel management approach under the Defense Cyber Workforce Framework (DCWF) to prioritize demonstrable skills and abilities over traditional markers of pedigree like specific degrees. This change, driven by the evolving nature of cyber threats and the need to rapidly adapt, is being implemented under the framework of DOD Manual 8140.03 Cyberspace Workforce Qualification and Management Program, part of DCWF.

“I am much more concerned about people who can actually do the job than the pedigree of what they bring to the job,” said Mark Gorak, principal director for resources and analysis for DOD’s Office of the CIO, in an interview with GovCIO Media & Research.

Gorak said that the DCWF defines 73 work roles, each outlining the necessary knowledge, skills, abilities and tasks for the position. Released in February 2023, the 8140 document shifts DOD’s workforce strategy from requiring specific combinations of education, experience and certifications to recommending them.

Matthew Isnor, program lead for cyberspace workforce development at DOD, told GovCIO Media & Research that 8140 is a “total human capital program.” The goal, Isnor said, is to broaden the search for talent and find individuals ready for continuous professional development, ensuring that the workforce remains current with the changing cyber landscape.

“We’re trying to find the people that have the aptitude to be successful, to come into the department, then not stop there and follow on with training and qualifications,” said Isnor. “[They then also need to] get another step and have that continuous professional development.”

Since the Pentagon released the DCWF in 2023, the department has emphasized the need to update and maintain the skills required in the workforce, including certifications. Officials from ISC2, a professional association representing more than 650,00 cybersecurity professionals, told GovCIO Media & Research that the 8140 document broadened the field, but also created confusion in the cybersecurity labor marketplace.

“There’s been some teething making sure everybody’s on the same page and the transition,” said ISC2 Chief Qualifications Officer Casey Marks. “When more of the intended audience is familiar with the pathway … I’d expect it to ramp up. It’s just been a little slow going.”

The DCWF enforces new requirements in the coming years. By February 2025, the cybersecurity element of the cyber workforce must be fully coded with qualification levels. By February 2026, the rest of the cyber force will follow suit. This coding will categorize individuals and positions, creating a gap analysis that will serve as a readiness report, indicating the health of the cyber workforce.

“We code the work roles for an individual and a position, and now we’re going to code the qualification levels of those individuals, whether the position requires a basic level, an intermediate level or an advanced level,” said Gorak.

The near-constant evolution of technology requires continuous updating of the roles. Gorak said that “the operational side of cyber is changing at an eight-to-12-month pattern, even faster in some in some specialties,” requiring his office to exercise authority to modify work roles.

“We have to be responsive to the operators. In our feedback loop, the operators provide us feedback on the knowledge, skills, abilities and tasks for each work role. I then have the ability to change those work roles at a department level every 90 days,” Gorak added. “In the past two years, we’ve changed over 50% of all of our work roles.”

These roles require updating certifications across the cyber workforce, Marks added.

“The pressure is often to develop a qualification or education scheme to match a specific role or a very specifically, narrowly defined area,” Marks said. “We’re constantly on top of looking at what’s in our certifications.”

DOD needs talent with new and old skill sets, ISC2 Executive Vice President of Advocacy, Global Markets and Member Engagement Tara Wisniewski told GovCIO Media & Research.

“We’ve been really careful not to get sucked into shiny object syndrome,” said Wisniewski. “People who can actually embrace those principles, but then bring the creativity around an entrepreneurial environment, will have the most success.”

The framework, according to Isnor, outlines how DOD can remain agile to the needs of the warfighters, enterprise and other aspects of the department.

“[DOD hiring values include] being flexible, being responsive, finding out what is actually going on in the day-to-day operations,” said Isnor. “We can then communicate constantly with our trusted partners, our certification partners, our training providers and academic partners in … what our workforce needs to look like in the next five to 10 years.”

One of the challenges is how to retain top talent, which is essential to adopting the best cybersecurity practices, said Wisniewski,

“DOD has the challenges of retention. They have the challenges of keeping people engaged, keeping them there,” said Wisniewski. “We know that if you have a team that has spent more time together, that have worked together, that there’s really low retention, teams are much more vibrant and can function at a higher level of security resilience.”

The 8140 plan categorizes staff with a mix of technical management responsibilities, and the department is developing ways to incorporate “soft skills and professional skills,” Isnor said. Defense officials told GovCIO Media & Research that DOD is still working through paths to career evolution for cyber professionals.

“There is a gap when we talk about … how we develop operational planning, cyber leadership,” Patrick Johnson, director of the DOD Chief Information Officer’s Workforce Innovation Directorate, told GovCIO Media & Research. “That’s something we’re going to kind of cast our gaze on, because you’re talking about career pathing. How do they move from where they are right now at the operational level, up through the ranks, and assume that responsibility. If we’ve followed traditional models, that is not adequate.”

Creating those paths is part of the momentum that DOD is trying to maintain going into the new year, Johnson said.

“How can we better enable and bring capability to the field and kind of knock those barriers down?” Johnson added. “That’s our focus … We’re out to build a collaborative environment and show the value of what we’re doing.”

Gorak said that DOD is making progress in hiring cyber professionals. He expressed optimism at the ways DOD has addressed the workforce gaps identified in the DCWF.

“We’ve reduced our vacancy rate by thousands of people,” said Gorak. “When we turn over 10,000 a year, we have to replace those. And we have not only replaced those, but we’ve even hired a lot of our vacancies.”

Wisniewski said that the state of global cybersecurity — Volt Typhoon-type attacks and Iran’s influence, for example — mean that DOD’s energy toward cyber workforce challenges will not abate.

“It’s going to be really interesting to see what position the Trump administration takes, and what that looks like,” said Wisniewski. “The reality is, on the global scale, there is so much activity happening in this space that I don’t think that there’s going to be a change in some of the momentum that we’re seeing.”

Related Content
Woman typing at computer

Stay in the Know

Subscribe now to receive our newsletters.

Subscribe