U.S. National Cyber Workforce and Education Strategy

The White House published the National Cyber Workforce and Education Strategy (NCWES) on 31 July 2023, presenting a whole-of-nation plan to close the United States’ cybersecurity talent gap and expand digital opportunity. Developed by the Office of the National Cyber Director (ONCD) with input from the Departments of Labor, Education, Commerce, Homeland Security, and other agencies, the strategy follows the National Cybersecurity Strategy and focuses on four pillars: (1) equip every American with foundational cyber skills, (2) transform cyber education, (3) expand and improve America’s cyber workforce, and (4) strengthen the federal cyber workforce. Boards and executive teams should view the NCWES as both a call to collaborate with government and a roadmap for internal workforce planning. Teams must update governance structures, forge setup partnerships, and manage workforce data responsibly so analytics programs respect data subject access requests (DSARs) from employees, students, and apprentices.

The strategy sets ambitious goals: integrate cyber literacy into K-12 curricula, grow registered apprenticeships and earn-and-learn pathways, promote skills-based hiring, scale the CyberCorps: Scholarship for Service program, and modernize federal hiring and retention.

It emphasizes diversity, equity, inclusion, and accessibility (DEIA), aiming to reach historically excluded communities and ensure veterans, military spouses, rural populations, and justice-involved individuals can pursue cyber careers. The plan encourages private-sector collaboration through commitments to provide training, mentorship, internships, and scholarships, and it highlights funding streams such as the CHIPS and Science Act, the Inflation Reduction Act, and National Science Foundation grants.

Governance considerations

Boards should integrate NCWES objectives into human capital oversight. Compensation and governance committees should review whether workforce strategies incorporate cyber-specific metrics—headcount demand, attrition, diversity, and training investments—and whether they align with corporate risk appetites.

Directors should request inventories of partnerships with educational institutions, community teams, and workforce boards, ensuring programs reach diverse candidates and comply with labor regulations. Governance should also ensure that workforce development initiatives align with privacy and data-protection policies; for example, analytics platforms tracking training outcomes must respect consent requirements and DSAR rights under laws like CCPA, GDPR (for multinational employers), and state-level privacy statutes.

Boards should also examine how NCWES intersects with broader regulatory expectations. Sector regulators now scrutinise cyber workforce readiness—such as the Securities and Exchange Commission’s cyber disclosure rules or healthcare accreditation requirements. Governance frameworks must ensure incident response and cyber risk management plans include staffing contingency strategies and that third-party risk programs evaluate vendors’ workforce competencies. Directors may consider linking executive incentives to cyber workforce targets, including apprenticeship completions or reduction in unfilled cyber roles.

How to implement this

Operational leaders should structure NCWES alignment around four workstreams mirroring the strategy’s pillars. Foundational skills initiatives can include sponsoring K-12 cybersecurity curricula, volunteering employees as mentors in programs like CyberPatriot, and supporting state education agencies adopting the K-12 Cybersecurity Learning Standards. Teams should document learning outcomes, participant demographics, and community impact, ensuring data-collection practices respect parental consent and student privacy laws (FERPA, COPPA). DSAR procedures must anticipate requests from students or parents seeking access to program records.

Education transformation requires partnerships with community colleges, universities, and training providers to develop modular, stackable credentials. Companies can co-design curriculum aligned with industry frameworks such as NICE Workforce Framework for Cybersecurity (NIST SP 800-181). Implementation teams should set up articulation agreements, provide labs or cloud credits, and offer adjunct faculty support. Memoranda of understanding should address intellectual property, privacy, and DSAR cooperation for learners accessing digital platforms. Teams should also invest in simulation environments and cyber ranges that capture telemetry for skills assessment—ensuring logs are managed securely and accessible for DSAR requests.

Workforce expansion involves scaling apprenticeships, internships, and reskilling programs. Employers should use the Department of Labor’s Registered Apprenticeship program, design competency-based progression, and integrate wraparound services (childcare, transportation stipends) for underrepresented talent. HR teams must adapt hiring policies to recognize skills and certifications rather than only four-year degrees. Systems tracking candidate progress, assessments, and retention should incorporate privacy notices and DSAR workflows. Companies should evaluate background-check policies, ensuring fairness and compliance with EEOC guidance, and maintain documentation to address DSAR inquiries about hiring decisions.

Federal workforce collaboration invites private-sector support through detailees, exchange programs, and joint research projects. Contractors serving federal agencies should align with NCWES initiatives, offering training to government partners and participating in talent exchanges. Contract clauses should specify data-handling practices for participants, including DSAR coordination when personal records are shared between teams. Employers should prepare to report workforce statistics to agencies as part of grant or contract performance requirements, validating data quality and privacy safeguards.

Data governance and DSAR readiness

Workforce analytics underpinning NCWES initiatives can involve sensitive personal data—demographics, performance scores, certifications, and mentoring interactions. Privacy teams must update records of processing to cover education partnerships and apprenticeship tracking.

Consent management platforms should capture participant permissions for data sharing with schools, nonprofits, or government partners. DSAR playbooks should detail how to retrieve training transcripts, assessment results, mentoring communications, and program evaluations, ensuring redaction of third-party information. For multinational employers, cross-border transfer assessments may be required when sharing workforce data with global training vendors or subsidiaries.

Teams should apply privacy-enhancing technologies where feasible, such as differential privacy for aggregated reporting or secure multiparty computation for collaborative analytics. Security controls must protect learning management systems and talent platforms against breaches, with incident response plans describing notification, DSAR handling, and remediation. Documentation should capture retention schedules, specifying how long apprenticeship data is stored and how it is de-identified after program completion.

Measurement and assurance

To show alignment with NCWES, companies should establish dashboards tracking cyber workforce supply and demand, training completion rates, certification achievement, diversity metrics, and participant satisfaction. Metrics should also cover DSAR volume related to workforce programs and response times. Internal audit can review workforce initiatives to ensure they meet governance expectations, comply with labor and privacy laws, and align with contractual obligations. Auditors should test the accuracy of reported metrics, evaluate the effectiveness of partnerships, and verify that DSAR processes return complete and timely information.

Public transparency builds trust. Teams may publish annual reports summarizing cyber workforce investments, partnerships, and outcomes—ideally aligned with sustainability or human-capital disclosures under frameworks like the SEC’s human capital reporting or the Global Reporting Initiative. Reports should explain privacy safeguards, DSAR procedures, and grievance mechanisms for program participants. By embracing the NCWES, enterprises can mitigate cyber talent shortages, support national security objectives, and show responsible stewardship of participant data.

You may also find useful

Hand-picked articles on adjacent topics.

Policy · Credibility 71/100 · October 30, 2023

U.S. Executive Order 14110 on Safe, Secure, and Trustworthy AI

Biden's AI executive order is the most aggressive federal AI action yet. Foundation model developers now have to report to the government when they start training runs above certain compute thresholds, share safety test…

Policy · Credibility 91/100 · October 4, 2022

U.S. Blueprint for an AI Bill of Rights — Implementation Guide

OSTP’s Blueprint for an AI Bill of Rights sets five principles—safe systems, anti-discrimination safeguards, privacy, notice, and human fallback—that organizations must translate into governance, testing, and…

Policy · Credibility 71/100 · October 4, 2022

White House releases Blueprint for an AI Bill of Rights

The U.S. White House Office of Science and Technology Policy published a Blueprint for an AI Bill of Rights on 4 October 2022, outlining five principles to guide the design and deployment of automated systems.

Policy · Credibility 89/100 · September 30, 2022

FinCEN Beneficial Ownership Reporting Rule — Compliance Playbook

FinCEN’s Corporate Transparency Act final rule compels most U.S. and foreign reporting companies to submit beneficial ownership and company applicant data starting 1 January 2024, requiring entity inventories, secure…

Policy · Credibility 71/100 · March 15, 2022

U.S. Cyber Incident Reporting for Critical Infrastructure Act Signed

Critical infrastructure operators now have federal reporting requirements for cyber incidents. CIRCIA means you have got 72 hours to report significant incidents to CISA, and 24 hours if you pay a ransom. The liability…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

July 31, 2023

Coverage pillar

Policy

Source credibility

92/100 — high confidence

Topics

National Cyber Workforce and Education Strategy · Workforce development · Cybersecurity education · United States

Sources cited

3 sources (hitehouse.gov)

Reading time

6 min

Documentation

1. White House fact sheet: Biden-Harris Administration announces National Cyber Workforce and Education Strategy (July 31, 2023) — www.whitehouse.gov
2. National Cyber Workforce and Education Strategy (July 2023) — www.whitehouse.gov
3. Office of the National Cyber Director announcement: The National Cyber Workforce and Education Strategy (July 31, 2023) — www.whitehouse.gov