Policy Briefing — U.S. National Cyber Workforce and Education Strategy

The White House published the National Cyber Workforce and Education Strategy (NCWES) on 31 July 2023, presenting a whole-of-nation plan to close the United States’ cybersecurity talent gap and expand digital opportunity. Developed by the Office of the National Cyber Director (ONCD) with input from the Departments of Labor, Education, Commerce, Homeland Security, and other agencies, the strategy aligns with the National Cybersecurity Strategy and focuses on four pillars: (1) equip every American with foundational cyber skills, (2) transform cyber education, (3) expand and enhance America’s cyber workforce, and (4) strengthen the federal cyber workforce. Boards and executive teams should view the NCWES as both a call to collaborate with government and a roadmap for internal workforce planning. Organisations must update governance structures, forge implementation partnerships, and manage workforce data responsibly so analytics programmes respect data subject access requests (DSARs) from employees, students, and apprentices.

The strategy sets ambitious goals: integrate cyber literacy into K-12 curricula, grow registered apprenticeships and earn-and-learn pathways, promote skills-based hiring, scale the CyberCorps: Scholarship for Service programme, and modernise federal hiring and retention. It emphasises diversity, equity, inclusion, and accessibility (DEIA), aiming to reach historically excluded communities and ensure veterans, military spouses, rural populations, and justice-involved individuals can pursue cyber careers. The plan encourages private-sector collaboration through commitments to provide training, mentorship, internships, and scholarships, and it highlights funding streams such as the CHIPS and Science Act, the Inflation Reduction Act, and National Science Foundation grants.

Governance considerations

Boards should integrate NCWES objectives into human capital oversight. Compensation and governance committees should review whether workforce strategies incorporate cyber-specific metrics—headcount demand, attrition, diversity, and training investments—and whether they align with corporate risk appetites. Directors should request inventories of partnerships with educational institutions, community organisations, and workforce boards, ensuring programmes reach diverse candidates and comply with labour regulations. Governance should also ensure that workforce development initiatives align with privacy and data-protection policies; for example, analytics platforms tracking training outcomes must respect consent requirements and DSAR rights under laws like CCPA, GDPR (for multinational employers), and state-level privacy statutes.

Boards should also examine how NCWES intersects with broader regulatory expectations. Sector regulators increasingly scrutinise cyber workforce readiness—such as the Securities and Exchange Commission’s cyber disclosure rules or healthcare accreditation requirements. Governance frameworks must ensure incident response and cyber risk management plans include staffing contingency strategies and that third-party risk programmes evaluate vendors’ workforce competencies. Directors may consider linking executive incentives to cyber workforce targets, including apprenticeship completions or reduction in unfilled cyber roles.

Implementation roadmap

Operational leaders should structure NCWES alignment around four workstreams mirroring the strategy’s pillars. Foundational skills initiatives can include sponsoring K-12 cybersecurity curricula, volunteering employees as mentors in programmes like CyberPatriot, and supporting state education agencies adopting the K-12 Cybersecurity Learning Standards. Organisations should document learning outcomes, participant demographics, and community impact, ensuring data-collection practices respect parental consent and student privacy laws (FERPA, COPPA). DSAR procedures must anticipate requests from students or parents seeking access to programme records.

Education transformation requires partnerships with community colleges, universities, and training providers to develop modular, stackable credentials. Companies can co-design curriculum aligned with industry frameworks such as NICE Workforce Framework for Cybersecurity (NIST SP 800-181). Implementation teams should set up articulation agreements, provide labs or cloud credits, and offer adjunct faculty support. Memoranda of understanding should address intellectual property, privacy, and DSAR cooperation for learners accessing digital platforms. Organisations should also invest in simulation environments and cyber ranges that capture telemetry for skills assessment—ensuring logs are managed securely and accessible for DSAR requests.

Workforce expansion involves scaling apprenticeships, internships, and reskilling programmes. Employers should leverage the Department of Labor’s Registered Apprenticeship Programme, design competency-based progression, and integrate wraparound services (childcare, transportation stipends) for underrepresented talent. HR teams must adapt hiring policies to recognise skills and certifications rather than only four-year degrees. Systems tracking candidate progress, assessments, and retention should incorporate privacy notices and DSAR workflows. Companies should evaluate background-check policies, ensuring fairness and compliance with EEOC guidance, and maintain documentation to address DSAR inquiries about hiring decisions.

Federal workforce collaboration invites private-sector support through detailees, exchange programmes, and joint research projects. Contractors serving federal agencies should align with NCWES initiatives, offering training to government partners and participating in talent exchanges. Contract clauses should specify data-handling practices for participants, including DSAR coordination when personal records are shared between organisations. Employers should prepare to report workforce statistics to agencies as part of grant or contract performance requirements, validating data quality and privacy safeguards.

Data governance and DSAR readiness

Workforce analytics underpinning NCWES initiatives can involve sensitive personal data—demographics, performance scores, certifications, and mentoring interactions. Privacy teams must update records of processing to cover education partnerships and apprenticeship tracking. Consent management platforms should capture participant permissions for data sharing with schools, nonprofits, or government partners. DSAR playbooks should detail how to retrieve training transcripts, assessment results, mentoring communications, and program evaluations, ensuring redaction of third-party information. For multinational employers, cross-border transfer assessments may be required when sharing workforce data with global training vendors or subsidiaries.

Organisations should apply privacy-enhancing technologies where feasible, such as differential privacy for aggregated reporting or secure multiparty computation for collaborative analytics. Security controls must protect learning management systems and talent platforms against breaches, with incident response plans describing notification, DSAR handling, and remediation. Documentation should capture retention schedules, specifying how long apprenticeship data is stored and how it is de-identified after programme completion.

Measurement and assurance

To demonstrate alignment with NCWES, companies should establish dashboards tracking cyber workforce supply and demand, training completion rates, certification attainment, diversity metrics, and participant satisfaction. Metrics should also cover DSAR volume related to workforce programmes and response times. Internal audit can review workforce initiatives to ensure they meet governance expectations, comply with labour and privacy laws, and align with contractual obligations. Auditors should test the accuracy of reported metrics, evaluate the effectiveness of partnerships, and verify that DSAR processes return complete and timely information.

Public transparency builds trust. Organisations may publish annual reports summarising cyber workforce investments, partnerships, and outcomes—ideally aligned with sustainability or human-capital disclosures under frameworks like the SEC’s human capital reporting or the Global Reporting Initiative. Reports should explain privacy safeguards, DSAR procedures, and grievance mechanisms for programme participants. By embracing the NCWES, enterprises can mitigate cyber talent shortages, support national security objectives, and demonstrate responsible stewardship of participant data.