The bill directs the Cybersecurity and Infrastructure Security Agency (CISA) to create a program inside its Cybersecurity Education and Training Assistance Program to promote cybersecurity careers among a specified list of disadvantaged groups and nontraditional educational pipelines. The initiative focuses on outreach and partnerships rather than new credentialing or licensing requirements.
This matters because the federal government is explicitly shifting a portion of workforce strategy toward recruiting from underrepresented and nontraditional pools—community colleges, minority-serving institutions, veterans, people previously incarcerated, and older workers—rather than relying solely on traditional four‑year pipelines. That shift could change how employers and state workforce systems recruit, train, and onboard cyber talent while placing new operational demands on CISA and local partners.
At a Glance
What It Does
Creates, within CISA’s Cybersecurity Education and Training Assistance Program, a new Program to promote cybersecurity careers among listed disadvantaged groups. The Director must establish the Program within 180 days of enactment, conduct outreach to a specified set of institutions, tailor activities regionally and sectorally, produce annual efficacy reports to Congressional committees, and the bill authorizes $20 million per fiscal year for FY2026–2031.
Who It Affects
Directly affects CISA (which must design and run the Program), state and local workforce development offices, community colleges and minority-serving institutions, employers seeking cyber talent, and the named participant groups (older workers, racial and ethnic minorities, people with intellectual or developmental disabilities, veterans, formerly incarcerated individuals, women, and graduates of specified nontraditional institutions).
Why It Matters
It formalizes federal leadership on equitable cyber workforce development and ties funding and reporting to that goal. For hiring managers and workforce planners this creates a federally supported recruitment channel and expectations for coordination with education and workforce partners; for CISA it creates a multi-year operational commitment with performance reporting.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill requires CISA to stand up a Program inside its existing Cybersecurity Education and Training Assistance Program focused on expanding representation in cyber roles. Rather than creating new certification or hiring mandates, the Program is built around outreach, partnerships, and regional tailoring: CISA will reach out to educators, unions, chambers of commerce, state and local workforce offices, private sector entities, community colleges, and parents of K–12 students to raise awareness and connect people to existing pathways into cyber jobs.
A central design point is regional and sectoral tailoring—CISA must adapt activities to the unique needs of each region and industry sector, which pushes the agency toward decentralized engagement with state workforce boards and local institutions. The statute also enumerates which populations to prioritize (for example, veterans, formerly incarcerated individuals, graduates of community colleges and a range of minority-serving institutions, and older workers) and narrows the statutory definition of disability to intellectual or developmental disabilities.Operationally, the Program includes an express outreach mandate (a list of institutions CISA should contact) and an annual reporting requirement to two Congressional committees describing Program efficacy and workforce impacts.
The law authorizes multi-year appropriations to fund CISA’s work, and the reporting requirement is written broadly enough that CISA will need to define performance metrics—enrollment, placement, demographic reach, and regional distribution—when it implements the Program.The bill’s approach is intentionally partnership-driven: it leverages community colleges and minority-serving institutions as entry points, and expects coordination with state and local workforce systems and private employers to translate outreach into hiring. The statute leaves many implementation choices—metric definitions, scope of services offered to participants, and precise partnership models—to CISA, which creates both flexibility and ambiguity about how aggressively the agency must deliver concrete training or placement services.
The Five Things You Need to Know
The Director of CISA must establish the Program within 180 days after enactment.
The statute authorizes $20,000,000 per year for fiscal years 2026 through 2031 to support the Program.
CISA must submit an initial report one year after enactment and annual efficacy reports thereafter to the House Homeland Security Committee and the Senate Homeland Security and Governmental Affairs Committee.
The bill defines “older” as age 40 or older for Program eligibility and limits “disability” to intellectual or developmental disabilities.
The outreach list in the statute explicitly names educators, unions, chambers of commerce, state and local workforce offices, private sector entities, community colleges, and parents of K–12 students as targets for awareness-building.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Declares the Act’s short title as the “Expanding Cybersecurity Workforce Act of 2025.” This is a technical provision but signals the bill’s intent to frame the program as expansion and inclusion rather than regulation or enforcement.
Create Program within CISA’s Education & Training Assistance Program
Requires the Director of CISA to create a Program that promotes cybersecurity careers to a prescribed list of disadvantaged groups and nontraditional educational pipelines. This provision sets the legal home for the initiative (within CISA’s existing education and training vehicle) and the target populations that the Program must prioritize, leaving CISA to design specific activities that advance outreach, recruitment, and connection to opportunities.
Mandated outreach channels and partners
Directs CISA to conduct outreach to a detailed roster of institutions—educators, unions, chambers of commerce, state and local workforce offices, private sector entities, community colleges, and parents of K–12 students. Practically, this creates an expectation that CISA will build formal partnerships and communication strategies tailored to each partner type, and suggests funding may support staffing, materials, and convenings to execute that outreach.
Regional and sectoral tailoring requirement
Requires CISA to adapt the Program to the unique needs of each U.S. region and economic sector. Implementation will push CISA toward working with state workforce boards and industry groups to identify skills gaps and align outreach with local labor market demands; it also increases the coordination burden and complexity of measuring outcomes across heterogeneous geographies.
Annual efficacy reports to Congress
Obligates an initial report one year after enactment and yearly thereafter to two specific Congressional committees, focused on Program efficacy and how it affects the characteristics of the national cyber workforce. Because the statute uses broad language (“efficacy” and “general characteristics”), CISA must define what success looks like and what data it will collect—choices that will shape Congressional oversight and future funding decisions.
Appropriations and statutory definitions
Authorizes $20 million per fiscal year for FY2026–2031 to support the Program, but does not appropriate funds; actual funding will depend on future appropriations. The definitions subsection supplies precise statutory meanings for listed terms—some of which are narrower or peculiar (for example, limiting “disability” to intellectual or developmental disabilities and defining “geographically diverse” in terms of an attempt at equal spread or overrepresentation of low-income communities). These definitional choices will constrain program design and eligibility decisions.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Underrepresented jobseekers (veterans, formerly incarcerated individuals, older workers, racial and ethnic minorities): the Program creates targeted outreach and connection channels to existing training and hiring pathways that can lower information and access barriers.
- Community colleges and minority‑serving institutions: named as prioritized partners, these institutions stand to receive increased collaboration opportunities with CISA and potential access to federal resources, partnerships with employers, and pipeline development support.
- Employers in critical infrastructure and private sector cyber roles: they gain a federally coordinated recruitment channel and a larger, more diverse candidate pool, which can reduce hiring friction for hard-to-fill cyber positions.
- State and local workforce development offices: they receive a federally backed partner to amplify local recruitment and training efforts, potentially unlocking new programmatic collaborations and funding opportunities.
- CISA and federal cyber workforce planners: the agency gains statutory authority to lead equity-focused workforce expansion, improving its convening role between employers, educators, and community organizations.
Who Bears the Cost
- CISA/Department of Homeland Security: responsible for establishing the Program within 180 days, executing outreach, coordinating partners, defining metrics, and producing annual reports—an operational and administrative burden that will require staffing and program management.
- Federal taxpayers and appropriations committees: the law authorizes $20M per year but does not appropriate funds; if Congress funds the authorization, taxpayers will underwrite multi-year operational costs.
- State and local workforce boards and educational partners: while not mandated to participate, these entities will need to dedicate staff time and administrative capacity to coordinate with CISA and implement locally tailored activities.
- Community-based organizations and nonprofits: smaller community partners asked to engage in outreach, recruitment, or participant support may face capacity constraints and may need to absorb unfunded coordination costs.
- Employers (time and program integration): organizations that want to use the Program as a hiring channel will need to align recruitment and onboarding practices to new pipelines, which can require internal HR investment.
Key Issues
The Core Tension
The central dilemma is between targeted equity and scalable impact: the bill aims to expand access for historically excluded groups (depth and fairness), but narrowly targeted, regionally tailored programming requires time, coordination, and resources—reducing the Program’s ability to rapidly scale to meet the country’s large and immediate cyber workforce shortages. Policymakers must choose whether to prioritize intensive, equitable pathways or broad, faster expansion; the statute’s flexibility leaves that choice to CISA rather than resolving it legislatively.
The statute creates a targeted, partnership-driven model but leaves major implementation choices to CISA—metric definitions, the intensity of services provided to participants, and how CISA partners with state and local entities. That flexibility helps CISA adapt the Program to local conditions but raises oversight issues: broad language like “efficacy” and “impacting the general characteristics of the cyber workforce” gives Congress latitude to demand results without providing precise performance baselines or measurement standards.
The authorized funding ($20M/year) signals commitment but is modest relative to the scale of national cyber workforce shortages; the Program’s reach will depend heavily on how CISA leverages partnerships and whether Congress actually appropriates the authorized amount.
Several definitional choices create operational tension. Limiting “disability” to intellectual or developmental disabilities excludes many people with physical, sensory, psychiatric, or other cognitive conditions who face barriers to tech employment.
The “geographically diverse” definition is internally inconsistent—it asks for an equal spread across urban/suburban/rural areas “or overrepresent low-income communities”—which will force CISA to choose between geographic proportionality and equity-focused concentration. Finally, the bill enumerates many nontraditional academic institutions but omits explicit mention of short-term certificate programs, bootcamps, and vendor-backed technical training, which are major real-world entry routes into cyber work.
These omissions will shape eligibility and partner selection in ways the statute does not anticipate.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.