Editorial Notes
References in TextThe date of the enactment of this section, referred to in subsecs. (h)(1) and (j)(1), is the date of enactment of Puspan. L. 114–92, which was approved Nov. 25, 2015.
Amendments2016—Subsecs. (f), (g). Puspan. L. 114–328, § 1103(a), added subsec. (f) and redesignated former subsec. (f) as (g). Former subsec. (g) redesignated (h).
Subsec. (h). Puspan. L. 114–328, § 1103(a)(1), redesignated subsec. (g) as (h). Former subsec. (h) redesignated (i).
Subsec. (h)(2)(E). Puspan. L. 114–328, § 1103(span)(2), substituted “employees described in subsection (f)(2) on the use of authorities under this section” for “supervisors of employees in qualified positions at the Department on the use of the new authorities”.
Subsecs. (i) to (k). Puspan. L. 114–328, § 1103(a)(1), redesignated subsecs. (h) to (j) as (i) to (k), respectively.
Statutory Notes and Related Subsidiaries
Change of NameCommittee on Oversight and Government Reform of House of Representatives changed to Committee on Oversight and Reform of House of Representatives by House Resolution No. 6, One Hundred Sixteenth Congress, Jan. 9, 2019. Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023.
Department of Defense Cyber Workforce EffortsPuspan. L. 116–283, div. A, title XVII, § 1726(a), (span), Jan. 1, 2021, 134 Stat. 4115, as amended by Puspan. L. 118–31, div. A, title XV, § 1531(c)(4), Dec. 22, 2023, 137 Stat. 563, provided that:“(a)Resources for Cyber Education.—“(1)In general.—The Chief Information Officer of the Department of Defense, in consultation with the Director of the National Security Agency (NSA), shall examine the current policies permitting National Security Agency employees to use up to 140 hours of paid time toward NSA’s cyber education programs.
“(2)Report.—“(A)In general.—Not later than 90 days after the date of the enactment of this Act [Jan. 1, 2021], the Chief Information Officer shall submit to the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] and the congressional intelligence committees a strategy for expanding the policies described in paragraph (1) to—“(i) individuals who occupy positions described in section 1599f of title 10, United States Code; and
“(ii) any other individuals who the Chief Information Officer determines appropriate.
“(B)Implementation plan.—The report required under subparagraph (A) shall detail the utilization of the policies in place at the National Security Agency, as well as an implementation plan that describes the mechanisms needed to expand the use of such policies to accommodate wider participation by individuals described in such subparagraph. Such implementation plan shall detail how such individuals would be able to connect to the instructional and participatory opportunities available through the efforts, programs, initiatives, and investments accounted for in the report required under section 1649 of the National Defense Authorization Act for Fiscal Year 2020 (Public Law 116–92 [133 Stat. 1758]), including the following programs:“(i) GenCyber.
“(ii) Centers for Academic Excellence – Cyber Defense.
“(iii) Centers for Academic Excellence – Cyber Operations.
“(C)Deadline.—Not later than 120 days after the submission of the report required under subparagraph (A), the Chief Information Officer of the Department of Defense shall carry out the implementation plan contained in such report.
“(span)Discharge Through Director.—In carrying out this section, the Chief Information Officer of the Department of Defense shall act through the Director of the office established under section 2192c of title 10, United States Code.”
[Subsec. (span) of section 1726 of Puspan. L. 116–283, set out above, was added by Puspan. L. 118–31, div. A, title XV, § 1531(c)(4), Dec. 22, 2023, 137 Stat. 563. Another subsec. (span) of section 1726 is set out as a note under section 2224 of this title.]
Zero-Based Review of Department of Defense Cyber and Information Technology PersonnelPuspan. L. 116–92, div. A, title XVI, § 1652, Dec. 20, 2019, 133 Stat. 1761, provided that:“(a)Review Required.—Not later than January 1, 2021, each head of a covered department, component, or agency shall—“(1) complete a zero-based review of the cyber and information technology personnel of the head’s covered department, component, or agency; and
“(2) provide the Principal Cyber Advisor, the Chief Information Officer of the Department of Defense, and the Under Secretary of Defense for Personnel and Readiness the findings of the head with respect to the head’s covered department, component, or agency.
“(span)Covered Departments, Components, and Agencies.—For purposes of this section, a covered department, component, or agency is—“(1) an independent Department of Defense component or agency;
“(2) the Office of the Secretary of Defense;
“(3) a component of the Joint Staff;
“(4) a military department or an armed force; or
“(5) a reserve component of the Armed Forces.
“(c)Scope of Review.—As part of a review conducted pursuant to subsection (a)(1), the head of a covered department, component, or agency shall, with respect to the covered department, component, or agency of the head—“(1) assess military, civilian, and contractor positions and personnel performing cyber and information technology missions;
“(2) determine the roles and functions assigned by reviewing existing position descriptions and conducting interviews to quantify the current workload performed by military, civilian, and contractor workforce;
“(3) compare the Department’s manning with the manning of comparable industry organizations;
“(4) include evaluation of the utility of cyber- and information technology-focused missions, positions, and personnel within such components—“(A) to assess the effectiveness and efficiency of current activities;
“(B) to assess the necessity of increasing, reducing, or eliminating resources; and
“(C) to guide prioritization of investment and funding;
“(5) develop recommendations and objectives for organizational, manning, and equipping change, taking into account anticipated developments in information technologies, workload projections, automation and process enhancements, and Department requirements;
“(6) develop a gap analysis, contrasting the current organization and the objectives developed pursuant to paragraph (5); and
“(7) develop roadmaps of prioritized activities and a timeline for implementing the activities to close the gaps identified pursuant to paragraph (6).
“(d)Elements.—In carrying out a review pursuant to subsection (a)(1), the head of a covered department, component, or agency shall consider the following:“(1) Whether position descriptions and coding designators for given cybersecurity and information technology roles are accurate indicators of the work being performed.
“(2) Whether the function of any cybersecurity or information technology position or personnel can be replaced by acquisition of cybersecurity or information technology products or automation.
“(3) Whether a given component or subcomponent is over- or under-resourced in terms of personnel, using industry standards as a benchmark where applicable.
“(4) Whether cybersecurity service provider positions and personnel fit coherently into the enterprise-wide cybersecurity architecture and with the Department’s cyber protection teams.
“(5) Whether the function of any cybersecurity or information technology position or personnel could be conducted more efficiently or effectively by enterprise-level cyber or information technology personnel.
“(e)Furnishing Data and Analysis.—“(1)Data and analysis.—In carrying out subsection (a)(2), each head of a covered department, component, or agency, shall furnish to the Principal Cyber Advisor, the Chief Information Officer, and the Under Secretary a description of the analysis that led to the findings submitted under such subsection and the data used in such analysis.
“(2)Certification.—The Principal Cyber Advisor, the Chief Information Officer, and the Under Secretary of Defense shall jointly review each submittal under subsection (a)(2) and certify whether the findings and analysis are in compliance with the requirements of this section.
“(f)Recommendations.—After receiving findings submitted by a head of a covered department, component, or agency pursuant to paragraph (2) of subsection (a) with respect to a review conducted by the head pursuant to paragraph (1) of such subsection, the Principal Cyber Advisor, the Chief Information Officer, and the Under Secretary shall jointly provide to such head such recommendations as the Principal Cyber Advisor, the Chief Information Officer, and the Under Secretary may have for changes in manning or acquisition that proceed from such review.
“(g)Implementation.—The Principal Cyber Advisor, the Chief Information Officer, and the Under Secretary shall jointly oversee and assist in the implementation of the roadmaps developed pursuant to subsection (c)(7) and the recommendations developed pursuant to subsection (f).
“(h)In-progress Reviews.—Not later than six months after the date of the enactment of this Act [Dec. 20, 2019] and not less frequently than once every six months thereafter until the Principal Cyber Advisor, the Chief Information Officer, and the Under Secretary give the briefing required by subsection (i), the Principal Cyber Advisor, the Chief Information Officer, and the Under Secretary shall jointly—“(1) conduct in-progress reviews of the status of the reviews required by subsection (a)(1); and
“(2) provide the congressional defense committees [Committees on Armed Services and Appropriations of the Senate and the House of Representatives] with a briefing on such in-progress reviews.
“(i)Final Briefing.—After all of the reviews have been completed under paragraph (1) of subsection (a), after receiving all of the findings pursuant to paragraph (2) of such subsection, and not later than June 1, 2021, the Principal Cyber Advisor, the Chief Information Officer, and the Under Secretary shall jointly provide to the congressional defense committees a briefing on the findings of the Principal Cyber Advisor, the Chief Information Officer, and the Under Secretary with respect to such reviews, including such recommendations as the Principal Cyber Advisor, the Chief Information Officer, and the Under Secretary may have for changes to the budget of the Department as a result of such reviews.
“(j)Definition of Zero-based Review.—In this section, the term ‘zero-based review’ means a review in which an assessment is conducted with each item, position, or person costed anew, rather than in relation to its size or status in any previous budget.”
Actions Pending Full Implementation of Plan for Cyber Mission Force PositionsPuspan. L. 114–328, div. A, title XVI, § 1643(a), Dec. 23, 2016, 130 Stat. 2602, provided that: “Until the Secretary of Defense completes implementation of the authority in subsection (a) of section 1599f of title 10, United States Code, for United States Cyber Command workforce positions in accordance with the implementation plan required by subsection (d) of such section, the Secretary shall do each of the following:“(1) Notwithstanding sections 3309 through 3318 of title 5, United States Code, provide for and implement an interagency transfer agreement between excepted service position systems and competitive service position systems in military departments and Defense Agencies concerned to satisfy the requirements for cyber workforce positions from among a mix of employees in the excepted service and the competitive service in such military departments and Defense Agencies.
“(2) Implement in the defense civilian cyber personnel system a classification system commonly known as a ‘Rank-in-person’ classification system similar to such classification system used by the National Security Agency as of the date of the enactment of this Act [Dec. 23, 2016].
“(3) Approve direct hiring authority for cyber workforce positions up to the GG or GS–15 level in accordance with the criteria in section 3304 of title 5, United States Code.
“(4) Notwithstanding section 5333 of title 5, United States Code, authorize officials conducting hiring in the competitive service for cyber workforce positions to set starting salaries at up to a step-five level with no justification and at up to a step-ten level with justification that meets published guidelines applicable to the excepted service.”
