The bill directs the National Cyber Director to submit, within 180 days of enactment, a plan to create a Federal institute that will serve as a centralized resource for training federal cyber personnel. The institute would deliver modular, work role–specific training (hands-on and virtual), develop curricula aligned to the NIST NICE framework, incorporate work-based learning and badging, and provide training for HR and hiring managers involved in cyber recruitment.
This matters because the federal government has long struggled with uneven cyber hiring and inconsistent baseline skills. The bill pushes for a single design effort—covering curriculum alignment, governance, instructor quality, and relationships with select academic partners—that aims to make federal cyber roles more portable, easier to staff, and more consistently trained across agencies.
It also requires the Director to estimate funding and authorities needed, but it explicitly disclaims any new appropriations authorizations.
At a Glance
What It Does
The bill requires the National Cyber Director to produce and publish a plan to establish a Federal institute that provides modularized, role-specific cyber training, skill assessments, and badging for federal cyber personnel. The plan must align with the NIST NICE framework, propose governance and organizational placement, and describe security-clearance, instructor, and academic partnership arrangements.
Who It Affects
Federal hiring managers, human resources professionals, agency cyber teams (especially entry-level and mid-career transition hires), the National Cyber Director’s office, OPM and federal HR/IT councils, and a handful of academic institutions eligible for partnership. Agencies that run existing cyber skilling programs (e.g., DoD, CISA) will be coordination partners and comparators.
Why It Matters
By centralizing curriculum design and promoting a common badging/assessment approach, the bill aims to reduce redundant training and improve cross-agency staffing flexibility. However, it stops short of funding the institute, which forces agencies and the Director to reconcile ambitious deliverables with no new appropriations.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill is a planning mandate rather than an immediate creation of a new agency. Within 180 days the National Cyber Director, working with DHS, DoD, OPM, and other agency heads as needed, must publish a public plan describing how a Federal institute would operate as a centralized training resource for federal cyber roles.
That plan must spell out the institute’s core functions: modular, role-specific training (including hands‑on labs and skill assessments), work-based learning, badging tied to demonstrated proficiency, and options for in-person and virtual delivery. It must also include training tailored to HR staff and hiring managers so agencies can better recruit and onboard cyber talent.
The bill requires the plan to align curricula and competencies with NIST Special Publication 800‑181 (the NICE framework) and to consider existing federal programs—naming the Joint Cyber Analysis Course and CISA’s Federal Cyber Defense Skilling Academy as models. The plan must recommend where the institute should sit administratively (single agency or multi-agency construct), estimate required funding and any new legal authorities, and identify which functions can use existing federal facilities and which will need new investments.
It also asks the Director to describe how some training may occur in classified settings and to propose a security clearance process that can be initiated for trainees while they are still enrolled.Operational details the bill presses for include a governance structure that ensures interagency coordination, a policy for handling trainees who fail to complete required courses, and criteria for instructor currency and retention. The Director must also identify up to five academic partners—specifically, institutions designated by the NSA as Centers of Academic Excellence in cybersecurity and possessing an operational sensitive compartmented information facility (SCIF)—and explain how those schools will contribute.
Finally, the Director must brief designated congressional committees within 270 days and make the plan public; the statute explicitly includes no authorization of additional appropriations, which means implementation will require agencies to reallocate existing resources or seek separate funding later.
The Five Things You Need to Know
The Director must deliver a public plan within 180 days of enactment and brief relevant congressional committees within 270 days.
The plan must align institute curricula with NIST SP 800‑181 (the NICE framework) and account for existing federal programs such as DoD’s Joint Cyber Analysis Course and CISA’s Skilling Academy.
The Director must identify up to five academic partners that are NSA‑designated Centers of Academic Excellence and have an operational SCIF for classified work.
The plan must include a badging system to signal trainee qualifications, developed with consideration of intelligence community credentialing practices.
The statute requires the plan but authorizes no additional appropriations—implementation will rely on existing agency funds or later appropriation action.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Designates the bill as the 'Federal Cyber Workforce Training Act of 2025.' This is a housekeeping provision but signals the bill’s focus on workforce training rather than procurement, regulation, or operational authorities.
Definitions
Sets key terms used throughout the bill: agency (per 5 U.S.C. 551), cyber work role (tied to the NICE framework and the full lifecycle of designing, securing, operating, and defending cyberspace), Director (National Cyber Director), Federal institute (the institute to be described in the plan), NICE framework (NIST SP 800‑181 or successor), and work‑based learning. These definitions anchor the plan to existing federal taxonomy (NICE), which limits ambiguity about what counts as a cyber role and what training should address.
Plan requirement and institute functions
Requires the Director to submit a plan (public) within 180 days proposing a Federal institute that provides training for new hires and mid‑career transitions and HR staff. The bill lists concrete functions the institute should perform: modular role‑specific training, hands‑on and skill‑assessment components, coordination with DHS and DoD on curriculum, prioritization of entry‑level positions, work‑based learning, development of a badging system, in‑person and virtual options, and non‑degree‑based access. Practically, this gives the Director a detailed specification to shape curriculum design and delivery expectations while leaving implementation details to the plan.
Required plan elements: placement, alignment, and resourcing
Directs the plan to recommend where the institute should sit (single agency or multi‑agency), align competencies with NIST SP 800‑181 and other federal publications, and identify which functions can reuse existing federal facilities versus which will need new resources. The plan must recommend course length and delivery models using existing programs as examples, propose a policy for non‑completion, describe security clearance processes for trainees, propose governance to ensure interagency coordination, and estimate funding and new authorities needed. These mandated elements force the plan to be practical and budget‑oriented even though the bill itself does not appropriate money.
Academic partnerships, instructor quality, and HR tools
Requires the Director to identify how the institute would use academic institutions—specifically NSA‑designated Centers of Academic Excellence with SCIFs—and to select up to five such schools. The plan must also explain how instructors will remain current (scholarship or other means) and how the institute will retain quality instructors. Additionally, the Director must consult with OPM and the federal HR, CIO, and Chief Learning Officers councils to produce tools that help HR professionals manage cyber careers from recruitment to retirement, which builds a bridge between training content and personnel policy.
Congressional briefing and funding limitation
Requires a briefing to specified congressional committees within 270 days on the plan, including funding and authorities needed. The statute also contains an express clause that 'No additional funds are authorized,' meaning the provision creates a planning and reporting mandate but not an appropriation. That limitation shapes likely implementation paths: agencies would need to repurpose existing funds or seek appropriations after the plan is delivered.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Entry‑level federal cyber recruits — The institute prioritizes entry‑level curriculum and hands‑on assessments, lowering the onboarding burden on receiving agencies and providing clearer career‑entry pathways.
- Federal HR professionals and hiring managers — The bill mandates modules and tools to train HR staff in cyber recruitment and lifecycle management, improving hiring quality and reducing mismatch between job descriptions and required skills.
- Agencies with small cyber teams — Standardized curricula and badging make it easier for smaller programs to hire staff with verifiable, portable qualifications and to rely on a common training baseline.
- Selected academic institutions — NSA‑designated Centers of Academic Excellence with SCIFs gain partnership opportunities and potential programmatic roles as delivery partners, increasing federal engagement and funding prospects (even if not immediately appropriated).
- The intelligence and national security communities — A badging system developed with IC practices in mind and provisions for classified work help align training to operational security needs and candidate vetting practices.
Who Bears the Cost
- National Cyber Director’s office — The Director must produce a detailed, public plan and brief Congress on a rapid timeline; without new appropriations, the office will absorb planning costs and coordination burdens.
- Participating agencies (DHS, DoD, OPM, others) — Agencies must invest staff time and possibly internal funds to coordinate curricula, share existing assets, and pilot training models; smaller agencies may need to reallocate limited training budgets.
- OPM and HR/CIO/Chief Learning Officers councils — These entities must develop and roll out HR tools and policies to manage cyber careers, adding to their workload and requiring cross-agency harmonization.
- Academic partners and instructors — Schools chosen for partnership may need to maintain or expand SCIF capacity and adapt curricula to federal standards, absorbing costs if no immediate federal funding follows.
- Trainees and hiring agencies — If the plan’s non‑completion policy is strict and agencies lack funding for remediation, individuals or receiving agencies could face personnel management headaches.
Key Issues
The Core Tension
The central dilemma is between standardization and agility: the bill pushes for a centralized institute to produce consistent, portable cyber skills across the federal workforce, but centralization risks overlooking agency‑specific needs, creating interagency turf disputes, and faltering without dedicated funding—so the policy trade‑off is strong coordination versus tailored, fundable, and mission‑specific training.
The bill is intentionally a planning statute: it lays out a comprehensive set of deliverables without providing appropriations. That generates the immediate implementation question of how to staff the planning effort and pilot training without new funds.
Agencies may repurpose existing training budgets or delay operational rollout until separate appropriations are secured, which could produce uneven capability development across agencies.
Centralization brings benefits (shared curriculum, portability, consistent assessments) but also creates real operational tradeoffs. A single institute may struggle to accommodate mission‑specific training needs across the intelligence community, DoD, DHS, civilian agencies, and law enforcement.
The requirement to use NSA‑designated CAE schools with SCIFs narrows academic partners to institutions already steeped in national security work, which helps classified training but limits geographic and demographic reach. The statute also leaves open key implementation questions: what constitutes reasonable funding estimates, how badging will interoperate with agency hiring systems and existing credentials, how security clearances will be started and funded for trainees while enrolled, and what sanctions (if any) apply to trainees who fail to complete courses.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.