This bill amends the Homeland Security Act of 2002 to establish a DHS Cybersecurity On-the-Job Training Program. The program will be led by the Director within DHS and aims to voluntarily train Department employees who are not currently in cybersecurity positions to work on cybersecurity matters.
It requires a curriculum aligned to existing federal cyber-education frameworks and allows for various training modalities, including distance learning and on-the-job instruction. The bill also creates a seven-year reporting requirement to Congress that covers participation, job placement outcomes, and program metrics, and it authorizes participation of other Federal employees where appropriate.
The Under Secretary for Management is tasked with vacancy reporting, recruitment support, policy development to encourage participation, and outreach to program graduates on cybersecurity opportunities within the Department.
At a Glance
What It Does
Creates a DHS Cybersecurity On-the-Job Training Program within Subtitle A of Title XXII of the Homeland Security Act. The Director will develop the curriculum, ensure proper alignment with existing frameworks, and deliver training to willing DHS employees (and, where appropriate, other Federal employees). The program includes annual reporting requirements for seven years.
Who It Affects
DHS components, managers, and staff who participate; cybersecurity personnel who supervise or mentor trainees; and potential recipients of training within other federal agencies if extended.
Why It Matters
It builds internal cyber capacity by re-skilling existing DHS staff, potentially reducing vacancy gaps and improving day-to-day cyber defense capabilities; it also establishes measurable reporting to assess program effectiveness over seven years.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill adds a new program to the Homeland Security Act aimed at building a domestic cybersecurity workforce from within DHS. The DHS Cybersecurity On-the-Job Training Program is designed to be voluntary and focused on employees who are not currently in cybersecurity roles but who can be trained to perform cyber-related functions.
A Director, in consultation with the Under Secretary for Management, will develop and oversee a curriculum that draws on established federal cyber education resources, including distance learning and on-the-job instruction under experienced staff. The program may also extend training to other federal employees when appropriate, and it must align with recognized education frameworks to ensure quality and consistency.
The Five Things You Need to Know
The bill creates the DHS Cybersecurity On-the-Job Training Program within the Homeland Security Act.
The Director must develop a curriculum aligned with established federal cyber education frameworks and oversee delivery.
Training is voluntary and can occur through multiple modalities (distance learning, in-person, on-the-job).
The program requires seven years of annual reporting to Congress on participation, hires, and program metrics.
A clerical amendment adds Sec. 2220F to the Homeland Security Act table of contents.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Establishment and leadership of the Program
The bill establishes a DHS Cybersecurity On-the-Job Training Program within the DHS framework and directs that it be led by the Director, in consultation with the Under Secretary for Management. The program is designed to voluntarily train DHS employees who are not currently in cybersecurity positions to work on cybersecurity matters. The Director is tasked with creating a curriculum that incorporates existing curricula and aligns with the National Initiative for Cybersecurity Education Framework (NICE) or successor frameworks. Delivery mechanisms may include distance learning, classroom instruction at a work location, or on-the-job instruction under experienced cybersecurity supervision, or other appropriate methods.
Director’s duties on curriculum and participation
The Director must develop participation criteria and ensure personnel are correctly coded to the NICE framework or its successor. The Director is responsible for making cybersecurity training available to DHS employees and, as appropriate, to other Federal employees. The section also requires the Director to implement and maintain the curriculum in alignment with established frameworks and to ensure ongoing access to training across the Department.
Under Secretary for Management duties
During the same seven-year period, the Under Secretary for Management must (1) report annually on cybersecurity vacancy statuses across the Department; (2) support recruitment efforts to involve Department employees in the Program; (3) implement policies, including continuing service agreements, to encourage participation; and (4) conduct outreach to Program graduates regarding cybersecurity job opportunities within the Department.
TOC amendment for Sec. 2220F
The bill amends the table of contents in the Homeland Security Act of 2002 by inserting Sec. 2220F, signaling the formal addition of the DHS Cybersecurity On-the-Job Training Program to the statute.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Non-cyber DHS staff who participate gain cybersecurity skills and potential placement into cyber roles within DHS.
- DHS components’ cybersecurity units benefit from a larger, trained internal talent pool capable of addressing security incidents more rapidly.
- The Director and DHS leadership obtain a structured pipeline with defined metrics and accountability through yearly reporting.
- Other Federal employees could benefit if the program expands to train personnel from agencies outside DHS as appropriate.
Who Bears the Cost
- DHS components incur costs for curriculum development, training delivery, and staff time required for training.
- Participants may experience time-away-from-duty during training, potentially affecting their day-to-day responsibilities.
- Administrative overhead from collecting data and producing annual reports under the seven-year requirement adds to agency workload.
Key Issues
The Core Tension
The central dilemma is balancing the internal capacity-building goal of a voluntary re-skilling program against the practical constraints of funding, staffing, and the uncertain scope of expansion beyond DHS. The bill seeks to improve cybersecurity readiness without creating a long-term budget obligation, but the reliance on voluntary participation and ongoing reporting creates a governance and execution challenge.
The program is voluntary and focused on re-skilling existing DHS staff, which mitigates mandatory staffing burdens but creates questions about scale and funding. The bill does not include explicit appropriations, so the financial burden would fall on DHS budgets and internal reallocations.
The seven-year Congress-facing reporting requirement imposes ongoing administrative work, and the success of the program depends on the quality of the curriculum and the effectiveness of the placement outcomes in cybersecurity roles. Additionally, the potential expansion to other Federal employees hinges on administrative discretion and available resources, which could affect interagency coordination and cost-sharing.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.