The Secretary of the Navy signed the new SECNAV Manual 5239.2, “Cyberspace Information Technology and Cybersecurity Workforce Management and Qualification” on June 27, 2016. Publication of this manual supports implementation of the guidance outlined in DoD Directive 8140.01, “Cyberspace Workforce Management” and Secretary of the Navy (SECNAV) Instruction 5239.20A, “Department of the Navy Cyberspace Information Technology and Cybersecurity Workforce (DON Cyber IT/CSWF) Management and Qualification”.
The instruction and manual outline a new approach to the identification, management, development, and qualification of DON Cyber IT and Cybersecurity personnel including military, government, civilian and contractor alike. The manual is a completely new version that replaces the SECNAV M-5239.2 of May 29, 2009, which is now canceled.
The publication of the new SECNAV instruction and manual this year was the result of almost two years of work across many Secretariat, Navy and Marine Corps organizations at all levels, from the field to headquarters commands. Development of these documents also included a look at what went right, and what went wrong, with implementation of the DoD 8570.01-M program and the challenges related to that program over the last 12 years.
We had a foundation to work from, and a capable workforce in place all doing the work that needs to be done, but we needed to develop processes and guidance that captured what actually worked and what could be done to improve the program. We have; however, kept in mind that things change and we need to be flexible, while ensuring we are not addressing change in the wrong way. The processes and management pieces incorporated in this new program are designed to do that.
As in other DON mission areas, the cyberspace mission area not only integrates with other mission areas, but also has unique missions of its own. The Navy and the Marine Corps each identified the specific occupations and qualifications required of the military and civilian personnel in their respective organizations to ensure the DON can be successful in the cyberspace mission area.
The program now moves from the old Information Assurance (IA) Category and Level structure of the DoD 8570-01.M, and its associated functions. to a new baseline National Cyber Workforce category and specialty area construct using the approach outlined in the National Initiative for Cybersecurity Education (NICE) Workforce Framework (see Figure 1). This approach, configured specifically for the Navy and Marine Corps, aligns to the tasks and the knowledge, skills and abilities that the Services require of their personnel. This includes qualities of civilian occupations and the objectives of education, training and evaluation identified in military schoolhouses, training qualification programs, academic degree programs, and nationally and internationally recognized IT and cybersecurity certification and credentialing programs.
The new program foundation relies on four key concepts. First, this community will be educated, trained and qualified just as every other community is — fundamentals, technical training, on-the-job qualification, and continuous development. No longer will "qualified" mean that you obtained a couple of certifications and have a security clearance.
Second, we're going to achieve what was directed by DoD 8570-01.M but never attained: an automated capability to identify and manage the workforce. We are piloting a project to properly code billets in the service manpower systems and have an automated tool available for use within the Total Workforce Management Services (TWMS) system.
Third, the program now focuses on options for obtaining and demonstrating mastery of knowledge. The program provides for the use of academic degrees, certifications, credentials, and completion of military training to meet both fundamental knowledge and specific technical knowledge requirements. All of these avenues for development can be used together to ensure the workforce has the knowledge necessary to qualify and perform to the best of their ability.
Most important, this new guidance places the authority and responsibility for determining a person's qualification on the command and Cyber IT/Cybersecurity experts within the command. The use of personnel qualification programs means that personnel will be formally qualified in accordance with service and organizational guidance after they have received instruction on the performance required for their position and after the command has said, “You're qualified.”
Throughout the discussions of what was missing in the old program, one major item that kept coming up was that the workforce didn't have someone to manage the program, so there wasn’t clear direction of who maintains the records, identifies needs, and tracks qualification. The new instruction and manual addresses that issue with the Cyber IT/Cybersecurity Workforce Program Manager (Cyber IT/CSWF-PM).
The Cyber IT/CSWF-PM will be responsible for administration of the organization's Cyber IT/CSWF Program. That means the Cyber IT/CSWF-PM will manage the identification of Cyber IT/Cybersecurity positions and associated qualification requirements and track education, training, qualification, and development needs of the personnel in their organization, as well as report the status of workforce personnel. It is much like what is already in place across the Services for organizational training managers.
Another crucial element to the role of Cyber IT/CSWF-PM is communication. One critical lesson learned was that information regarding workforce training and qualification didn't always get to those who needed it. As well, information from the deck plates and the ground did not make it up to leadership. With the establishment of the Cyber IT/ CSWF-PM position, the means of getting the right information out to the workforce and the communication of issues and requirements up the chain of command are now in place. The Cyber IT/CSWF-PM will also be the official who will access and maintain the Cyber IT/CSWF information in the new TWMS module. More specific information on that TWMS responsibility will be provided by the Navy and Marine Corps in the near future.
This new SECNAV guidance is only the top level of the program. The Navy and the Marine Corps will be issuing supporting guidance and implementing the programs necessary to transition from the current IT and IA workforce to the Cyber IT and Cybersecurity workforce of the future. Actual transition will not happen overnight and there are “things” that may need to be amended to make the program more viable.
There will be questions such as, “What does this mean to me?” We understand that. For now, many of you will find you are already qualified and that the records just need to be updated in the new workforce module. Others will find that they will want to revise their information, and that will need to be accomplished. Some may need to meet some of the requirements for qualification — such as attainment of an on-the-job personal qualification; time and processes will be provided for that.
For the civilian workforce, the language in position descriptions will change. Attainment and maintenance of IA certifications will no longer be a condition of employment; however, attainment and maintenance of a qualification will be. But that qualification will be based on the options detailed in the manual and continuing education.
For those with certifications, Navy and Marine Corps guidance for funding continuing education programs remains as currently detailed in policy. For the Navy, those who wish to voluntarily take an examination for a certification will follow current procedures. The overall goal for all personnel is that the new program will be relevant, focused on need and the work actually being done, and infused with the opportunity for continuing development.
As mentioned, expect further guidance from the Navy and Marine Corps, if it has not been promulgated by the time this article appears. The DON CIO, Navy, and Marine Corps will be working together to get information out to the workforce and to identify and resolve questions and problems as they arise. The transition must be a team effort.
You can access and download both the instruction and the manual from www.doncio.navy.mil. Note: the matrices mentioned in the manual will be available through the Total Workforce Management Services (TWMS) module. Additionally, DON Credentialing Opportunities On-Line (COOL) will be establishing an information page on its website: https://www.cool.navy.mil.
All pertinent Navy documents will be posted to the Naval Information Forces (NAVIFOR) CSWF page at: https://usff.portal.navy.mil/sites/NAVIDFOR/manpower/cswf/SitePages/Home.aspx.
All pertinent Marine Corps documents will be posted to the Headquarters Marine Corps (HQMC) C4 CY SharePoint® portal at: https://eis.usmc.mil/sites/c4/cy1/Pages/WF.aspx.
Chris Kelsall is the DON CIO Cyber Workforce lead.
See also CHIPS articles: DON Cyberspace (Cyber) IT and Cybersecurity Workforce — Who Are We? and “DON Cyberspace (Cyber) IT and Cybersecurity Workforce Credentialing”