The Cybersecurity Hiring Modernization Act amends 5 U.S.C. 3308 to restrict when federal agencies can require formal education for cybersecurity roles in the competitive service. It allows education requirements only where a State or local law requires them for the job or where the specific coursework or degree clearly maps to the competencies needed to perform the role.
The bill also directs the Office of Personnel Management to publish any changes to education-related minimum qualification standards and to post annual aggregate data on the educational attainment of people entering covered cybersecurity positions. For HR leaders, hiring managers, and workforce planners, the measure shifts the default away from degree filters and toward competency-based hiring and creates new transparency around hiring outcomes.
At a Glance
What It Does
The bill inserts a new subsection into 5 U.S.C. 3308 that limits agencies’ ability to set minimum education requirements for certain cybersecurity roles and requires OPM to publish changes and aggregate accession education data. It defines the scope of affected roles by reference to the GS–2210 series and the NICE/NIST cybersecurity workforce framework.
Who It Affects
This targets competitive-service cybersecurity positions (GS–2210 and roles labeled under the NICE framework), federal HR offices, hiring managers, OPM, and applicants — especially experienced technologists without traditional degrees. It also matters to training providers and certification bodies that supply alternative credentials.
Why It Matters
By curbing degree-based filters and mandating data disclosure, the bill could widen the candidate pool, push agencies toward competency-based qualification standards, and change how agencies document and defend hiring decisions for cybersecurity talent.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill makes a narrow but important change to how agencies may use education when setting minimum qualifications for cybersecurity jobs in the competitive service. Instead of allowing agencies broad discretion to require degrees or diplomas, it says an agency may set an education minimum only in two narrowly defined circumstances: where a law of the State or locality where the work is performed mandates the educational credential, or where the candidate’s specific education demonstrably corresponds to the competencies needed for the job.
Operationally, that second test — whether education "directly reflects the competencies" — shifts the focus from credential possession to demonstrable skills. Agencies will still be able to require minimum qualifications, but education can be used only as evidence of those qualifications when there is a clear, documentable linkage between course work or degree content and the duties of the position.
That pushes agencies toward writing and validating competency statements rather than defaulting to degree boxes on vacancy announcements.The bill also adds a transparency layer: OPM must publish any changes to the education components of minimum qualification standards and, starting one year after enactment and annually thereafter, post aggregate data showing the education levels of all accessions into covered positions, sorted by position classification. That reporting requirement creates a public record that will let workforce planners and Congress see whether agencies are hiring candidates without degrees and how those trends evolve.Finally, the bill limits its reach to the competitive service and defines covered positions as those classified under the GS–2210 information technology management series (and successors) and any competitive-service positions designated as "cybersecurity" under the NICE framework (NIST SP 800–181).
The change therefore targets the core federal cybersecurity occupational categories rather than sweeping across all IT or security roles.
The Five Things You Need to Know
The bill amends 5 U.S.C. 3308 to add a new subsection that narrows when agencies can impose minimum educational requirements for specified cybersecurity jobs.
An agency may require a minimum education only if a State or local law requires that credential for the position where the duties will be performed.
Agencies may rely on a candidate’s education to meet other minimum qualifications only when that education directly reflects the competencies necessary to perform the position’s duties.
OPM must publish any changes to education-related minimum qualification standards and beginning one year after enactment post annual, aggregate data on the educational attainment of all accessions to covered positions, sorted by position classification.
The restriction applies to competitive service positions in the GS–2210 information technology management series (or successors) and positions designated as 'cybersecurity' under the NICE (NIST SP 800–181) workforce framework.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Declares the Act’s short title as the 'Cybersecurity Hiring Modernization Act.' This is a formal naming clause without substantive effect on standards or implementation.
Creates a statutory limit on education requirements for covered cybersecurity positions
The core statutory edit inserts a new subsection into 5 U.S.C. 3308. Practically, it constrains agencies from using education as a routine gate for hiring in specified cybersecurity roles. The drafting sets two discrete pathways to justify an education requirement: a jurisdictional legal mandate or an explicit, demonstrable linkage between the applicant’s education and the job competencies. That second clause will require agencies to document how particular coursework or degrees map to qualification elements.
OPM transparency and reporting obligations
The bill requires OPM to publish on its website any changes to education-related minimum qualification standards and to produce aggregate accession data about educational attainment. The first report is due within one year after enactment and then annually. The statute specifies sorting the accession data by position classification, which enables comparative analysis across GS levels or job titles and creates an evidentiary basis to evaluate whether degree requirements are being relaxed in practice.
Definition of 'covered position'
The bill defines covered positions to include GS–2210 (information technology management series) and successor series, plus any competitive service role designated as 'cybersecurity' under the NICE (NIST SP 800–181) framework. That definition targets the federal cybersecurity occupational taxonomy rather than broader IT or security classifications and ties coverage to an external, recognized workforce framework (NICE).
This bill is one of many.
Codify tracks hundreds of bills on Employment across all five countries.
Explore Employment in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Experienced technologists without traditional degrees: The bill reduces the use of degree filters, making it easier for candidates with boots‑on‑the‑ground experience, certifications, or non‑degree training to pass minimum qualification screens for federal cybersecurity jobs.
- Federal agencies seeking talent quickly: Agencies with hiring bottlenecks can broaden their applicant pools and prioritize demonstrated skills or certifications over time‑consuming degree verification.
- Alternative credential providers and bootcamps: Increased emphasis on competencies and certifications creates market opportunities for non‑degree training programs that align curricula to federal competency statements.
- Workforce planners and Congress: The OPM reporting requirement supplies empirical data on accession education levels, enabling oversight and evidence‑based workforce policy decisions.
Who Bears the Cost
- Agency HR offices and hiring managers: They must revise qualification standards, develop competency mappings, and justify hires without degree credentials — work that will consume resources and require new validation processes.
- OPM: The Office must publish changes and compile annual aggregate accession data, a recurring administrative task that may require data standardization and allocation of resources.
- Higher‑education institutions that rely on degree signaling: If agencies shift hiring away from degrees toward skills-based criteria, some institutions may lose signal value they historically provided to federal employers.
- Agencies responsible for multi‑jurisdictional roles: Positions with telework or multi‑state footprints will face complexity in applying the 'State or locality law' carveout, creating administrative overhead to determine applicable legal requirements.
Key Issues
The Core Tension
The central dilemma: widen access to federal cybersecurity jobs by removing degree gatekeepers and bring in practical talent quickly, or preserve clear, defensible minimum standards to ensure baseline technical competence; the bill advances access and transparency but leaves agencies to reconcile that openness with the need for rigorous, legally defensible qualifications.
Several implementation challenges are baked into the text. The 'required by law' exception is narrow in language but murky in practice: many federal roles are not governed by State or local education mandates, and telework or multi‑jurisdictional positions will raise questions about which jurisdiction’s law controls.
Hiring officials will need clear guidance on determining the applicable jurisdiction and when a local law actually mandates an educational credential.
The competency linkage test pushes agencies toward evidence‑based qualification standards but leaves open how to validate that linkage. Agencies will need to create competency statements, assessors, and documentation protocols to show that a specific degree or coursework maps directly to job duties.
That validation process is resource‑intensive and raises legal risk if not applied consistently; the statute does not prescribe a methodology or accreditation standard for competency mapping. Finally, OPM’s annual reporting requirement increases transparency but also exposes data governance questions (how 'accessions' are defined and categorized, how to handle privacy or small‑cell data) and may require OPM to invest in new data collection and publication workflows.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.