U.S. National Cyber Workforce and Education Strategy Published — July 31, 2023

The White House unveiled the National Cyber Workforce and Education Strategy (NCWES) on 31 July 2023, positioning talent development as the foundation for executing the U.S. National Cybersecurity Strategy. The plan responds to an estimated 663,000 unfilled cyber roles nationwide and sets out a whole-of-nation agenda to “skill, re-skill, and up-skill” Americans for cyber, privacy, and digital trust careers. It organises actions around four pillars: equip every American with foundational cyber skills, transform cyber education, expand and enhance the national cyber workforce, and strengthen the federal cyber workforce. For private-sector boards, the strategy is more than a public service announcement; it offers a roadmap for aligning governance, implementation, and DSAR-capable operations with national objectives. Companies that integrate NCWES milestones into talent plans can demonstrate to regulators and investors that they are developing the expertise necessary to manage cybersecurity and privacy risks.

NCWES recognises that traditional degree pipelines alone cannot meet demand. It calls on employers to embrace skills-based hiring, apprenticeships, community college partnerships, and upskilling of mid-career workers, including veterans and transitioning service members. The Office of the National Cyber Director (ONCD) will establish a National Cyber Workforce Coordination Group to track progress, while agencies such as the Departments of Labor, Education, Commerce, Homeland Security, and Veterans Affairs will launch specific programmes ranging from Registered Apprenticeships to scholarships for service. The strategy also stresses inclusivity, aiming to increase participation of women, people of colour, tribal communities, and rural populations. For companies, these directives translate into actionable steps: revising job descriptions to focus on competencies, investing in internal training aligned with NIST NICE work roles, and providing paid leave or tuition support for employees pursuing credentials.

Governance responsibilities

Boards should incorporate NCWES commitments into human capital oversight. Since the SEC requires disclosure of material human capital measures, directors can connect NCWES-aligned investments to these disclosures. Governance or compensation committees should request annual reviews of cyber talent strategies, covering pipeline health, retention, diversity, DSAR proficiency, and succession planning for key roles such as CISO, Chief Privacy Officer, and data governance leads. Metrics might include the percentage of cyber roles filled via apprenticeships, DSAR training completion rates, and cross-training of IT, legal, and customer support staff.

Directors should also ensure management updates enterprise risk management (ERM) frameworks to reflect workforce risks. Talent shortages can increase incident likelihood, slow DSAR response times, and undermine compliance. Boards can request scenario analyses quantifying how staffing gaps affect risk posture—for example, modelling the impact on incident response if Tier 2 analysts or privacy specialists remain unfilled for six months. Such analysis should inform budget decisions and guide investments in automation or managed services to mitigate shortfalls.

Implementation roadmap for employers

NCWES provides numerous levers for employers to pull. One of the earliest is participating in Department of Labor Registered Apprenticeship programmes. Employers can partner with workforce intermediaries to design apprenticeships that cover security operations, cloud engineering, and privacy compliance, including DSAR tooling and secure coding. Apprenticeships offer wage progression models and nationally recognised credentials, making them attractive for recruiting non-traditional candidates. Companies should also explore the Cybersecurity Workforce Sprint initiated by the Department of Labor and the White House, which encourages employers to adopt skills-based hiring frameworks and report newly created apprenticeship slots.

The strategy encourages integration of cyber concepts across all education levels. Companies can support this by partnering with K–12 schools, community colleges, and universities to co-develop curricula, provide guest lecturers, or sponsor capture-the-flag competitions. Importantly, NCWES urges alignment with the NICE Workforce Framework so that students acquire competencies matched to employer needs. Firms should share job task analyses with educators, emphasising privacy literacy and DSAR handling so that graduates can manage requests under GDPR, CCPA, or sectoral regimes. By contributing to curricula, companies can shape pipelines that feed both cybersecurity and privacy roles.

For current employees, NCWES highlights the need for continuous learning. Employers can build internal academies that offer modular training on zero trust, secure software development, data minimisation, incident response, and DSAR execution. Integrating training with performance management—tying certification achievements to promotion pathways—encourages retention. Employers should also sponsor employees to participate in federal programmes like the CyberCorps Scholarship for Service, the Department of Energy’s CyberForce Competition, and CISA’s cyber training events.

DSAR and privacy operations readiness

While NCWES is often framed as a cybersecurity initiative, it explicitly references data stewardship and privacy. Pillar 3 emphasises developing a workforce capable of safeguarding data and maintaining public trust. For businesses, this means embedding DSAR skills into workforce planning. Privacy offices should map DSAR workflows to NICE work roles (e.g., PRVC001 Privacy Compliance Manager, PRVD001 Privacy Engineer) and ensure training covers legal requirements, tooling, and customer communication. Companies can develop DSAR labs where staff practice responding to simulated access, deletion, and portability requests, including scenarios involving cross-border data, minors, or sensitive categories.

NCWES also calls for integrating privacy and security training for frontline workers, not just specialists. Customer service representatives, HR professionals, and marketing staff frequently receive DSARs or handle personal data. Employers should expand their security awareness programmes to include DSAR triage, data classification, and escalation procedures. Measuring proficiency through assessments and tracking completion within governance dashboards provides evidence of compliance and supports SEC human capital disclosures.

• Tool enablement. Implement DSAR platforms that support automation, role-based access, and integration with identity verification tools. Provide hands-on training so staff can use these platforms efficiently during high-volume periods, such as after a breach or major product launch.
• Cross-functional playbooks. Develop playbooks that link DSAR processing with incident response, legal review, and communications. Ensure apprentices and new hires understand these dependencies as part of onboarding.
• Metrics. Track DSAR turnaround time, accuracy, and customer satisfaction. Use the metrics to evaluate whether workforce initiatives are improving service levels and to identify training needs.

Federal partnerships and incentives

NCWES outlines numerous programmes that employers can leverage. The CHIPS and Science Act funds Regional Innovation Engines, many of which include cyber workforce components. Employers located near these hubs can collaborate on curriculum design, internships, and co-op placements. The Department of Commerce’s Economic Development Administration is funding Good Jobs Challenge projects that create sectoral partnerships for cybersecurity roles. Companies should monitor grant announcements and consider serving on advisory boards to influence programme design.

For federal contractors, NCWES signals increased scrutiny of workforce capabilities. Agencies may incorporate workforce criteria into contract evaluations, emphasising certifications, apprenticeship participation, and diversity commitments. Contractors should prepare documentation demonstrating compliance with NCWES-aligned expectations, including DSAR competencies when contracts involve handling personal data. Aligning with NCWES can also support responses to agency requests for information (RFIs) and proposals that ask about cyber workforce strategies.

Strengthening the federal workforce and supply chain impact

Pillar 4 focuses on the federal workforce, directing agencies to streamline hiring, expand pay flexibilities, and improve retention. While targeted at government, these initiatives affect contractors and suppliers. For instance, agencies adopting skills-based hiring may expect vendors to follow suit. Federal retention incentives, such as special salary rates for cyber positions, may intensify competition for talent. Companies should benchmark compensation and consider joint training programmes with agencies to maintain alignment. Sharing employees through the Cyber Talent Exchange Program, which enables temporary rotations between federal agencies and private firms, can deepen relationships while exposing staff to government DSAR practices and incident response coordination.

NCWES also emphasises workforce analytics. The Office of Personnel Management will enhance data on federal cyber positions, and ONCD plans to release dashboards tracking national progress. Private-sector employers should mirror this approach by building internal analytics capabilities that monitor hiring, retention, and skills gaps. Dashboards should link to DSAR performance, incident metrics, and compliance outcomes, enabling executives to demonstrate how workforce investments translate into resilience.

Equity and community engagement

The strategy highlights the need to engage underrepresented communities through initiatives like the Cybersecurity Education and Training Assistance Program (CETAP), CyberStart America, and collaborations with Historically Black Colleges and Universities (HBCUs), Hispanic-Serving Institutions (HSIs), Tribal Colleges and Universities (TCUs), and community organisations. Companies can support these efforts via scholarships, mentorship, and donations of equipment or lab space. Importantly, engagement should include privacy and DSAR education so communities understand data rights and can pursue careers in digital trust. Firms may sponsor “Know Your Data Rights” workshops or integrate DSAR simulations into hackathons.

Employers should measure the effectiveness of equity initiatives by tracking demographic representation across cyber and privacy roles, analysing promotion and retention data, and surveying employees about belonging and career support. Transparent reporting on progress can build trust with regulators and the public, while failure to demonstrate inclusion may attract scrutiny from investors focused on ESG metrics.

Practical next steps

To operationalise NCWES, organisations can adopt a structured plan:

1. Gap analysis. Benchmark current workforce practices against NCWES pillars. Identify gaps in skills-based hiring, apprenticeship participation, DSAR training, and diversity.
2. Programme design. Develop or expand apprenticeship programmes, create internal academies, and formalise partnerships with educational institutions. Include modules on privacy law, DSAR operations, and secure software lifecycles.
3. Measurement and reporting. Build dashboards that track hiring pipelines, training completion, DSAR performance, and representation. Report progress to the board and incorporate highlights into SEC human capital disclosures and sustainability reports.

By embedding NCWES guidance into corporate governance, implementation roadmaps, and DSAR operations, companies can address the talent shortfall while reinforcing customer trust. The strategy provides a federally endorsed framework for investing in people; organisations that act now will be better positioned to handle evolving cyber threats, regulatory scrutiny, and the expectation that data rights are protected by a skilled, diverse workforce.