CybersecurityU.S. National Cyber Workforce and Education Strategy Published — July 31, 2023
The Biden Administration’s July 2023 National Cyber Workforce and Education Strategy lays out 30-plus initiatives to grow and diversify the talent pipeline, demanding governance focus on apprenticeships, privacy-aware curricula, DSAR operations training, and metrics that prove workforce investments support resilience.
Accuracy-reviewed by the editorial team
The White House unveiled the National Cyber Workforce and Education Strategy (NCWES) on , positioning talent development as the foundation for executing the U.S. National Cybersecurity Strategy. The plan responds to an estimated 663,000 unfilled cyber roles nationwide and sets out a whole-of-nation agenda to “skill, re-skill, and up-skill” Americans for cyber, privacy, and digital trust careers. It organizes actions around four pillars: equip every American with foundational cyber skills, transform cyber education, expand and improve the national cyber workforce, and strengthen the federal cyber workforce. For private-sector boards, the strategy is more than a public service announcement; it offers a roadmap for aligning governance, setup, and DSAR-capable operations with national objectives. Companies that integrate NCWES milestones into talent plans can show to regulators and investors that they are developing the expertise necessary to manage cybersecurity and privacy risks.
NCWES recognizes that traditional degree pipelines alone cannot meet demand. It calls on employers to embrace skills-based hiring, apprenticeships, community college partnerships, and upskilling of mid-career workers, including veterans and transitioning service members.
The Office of the National Cyber Director (ONCD) will set up a National Cyber Workforce Coordination Group to track progress, while agencies such as the Departments of Labor, Education, Commerce, Homeland Security, and Veterans Affairs will launch specific programs ranging from Registered Apprenticeships to scholarships for service. The strategy also stresses inclusivity, aiming to increase participation of women, people of color, tribal communities, and rural populations. For companies, these directives translate into actionable steps: revising job descriptions to focus on competencies, investing in internal training aligned with NIST NICE work roles, and providing paid leave or tuition support for employees pursuing credentials.
Governance responsibilities
Boards should incorporate NCWES commitments into human capital oversight. Since the SEC requires disclosure of material human capital measures, directors can connect NCWES-aligned investments to these disclosures. Governance or compensation committees should request annual reviews of cyber talent strategies, covering pipeline health, retention, diversity, DSAR proficiency, and succession planning for key roles such as CISO, Chief Privacy Officer, and data governance leads. Metrics might include the percentage of cyber roles filled via apprenticeships, DSAR training completion rates, and cross-training of IT, legal, and customer support staff.
Directors should also ensure management updates enterprise risk management (ERM) frameworks to reflect workforce risks. Talent shortages can increase incident likelihood, slow DSAR response times, and undermine compliance. Boards can request scenario analyzes quantifying how staffing gaps affect risk posture—for example, modeling the impact on incident response if Tier 2 analysts or privacy specialists remain unfilled for six months. Such analysis should inform budget decisions and guide investments in automation or managed services to mitigate shortfalls.
Implementation roadmap for employers
NCWES provides numerous levers for employers to pull. One of the earliest is participating in Department of Labor Registered Apprenticeship programs.
Employers can partner with workforce intermediaries to design apprenticeships that cover security operations, cloud engineering, and privacy compliance, including DSAR tooling and secure coding. Apprenticeships offer wage progression models and nationally recognized credentials, making them attractive for recruiting non-traditional candidates. Companies should also explore the Cybersecurity Workforce Sprint initiated by the Department of Labor and the White House, which encourages employers to adopt skills-based hiring frameworks and report newly created apprenticeship slots.
The strategy encourages integration of cyber concepts across all education levels. Companies can support this by partnering with K–12 schools, community colleges, and universities to co-develop curricula, provide guest lecturers, or sponsor capture-the-flag competitions. More importantly, NCWES urges alignment with the NICE Workforce Framework so that students acquire competencies matched to employer needs. Firms should share job task analyzes with educators, emphasizing privacy literacy and DSAR handling so that graduates can manage requests under GDPR, CCPA, or sectoral regimes. By contributing to curricula, companies can shape pipelines that feed both cybersecurity and privacy roles.
For current employees, NCWES highlights the need for continuous learning. Employers can build internal academies that offer modular training on zero trust, secure software development, data minimization, incident response, and DSAR execution. Integrating training with performance management—tying certification achievements to promotion pathways—encourages retention. Employers should also sponsor employees to participate in federal programs like the CyberCorps Scholarship for Service, the Department of Energy’s CyberForce Competition, and CISA’s cyber training events.
DSAR and privacy operations readiness
While NCWES is often framed as a cybersecurity initiative, it explicitly references data stewardship and privacy. Pillar 3 emphasizes developing a workforce capable of safeguarding data and maintaining public trust.
For businesses, this means embedding DSAR skills into workforce planning. Privacy offices should map DSAR workflows to NICE work roles (for example, PRVC001 Privacy Compliance Manager, PRVD001 Privacy Engineer) and ensure training covers legal requirements, tooling, and customer communication. Companies can develop DSAR labs where staff practice responding to simulated access, deletion, and portability requests, including scenarios involving cross-border data, minors, or sensitive categories.
NCWES also calls for integrating privacy and security training for frontline workers, not just specialists. Customer service representatives, HR professionals, and marketing staff frequently receive DSARs or handle personal data. Employers should expand their security awareness programs to include DSAR triage, data classification, and escalation procedures. Measuring proficiency through assessments and tracking completion within governance dashboards provides evidence of compliance and supports SEC human capital disclosures.
- Tool enablement. Implement DSAR platforms that support automation, role-based access, and integration with identity verification tools. Provide hands-on training so staff can use these platforms efficiently during high-volume periods, such as after a breach or major product launch.
- Cross-functional playbooks. Develop playbooks that link DSAR processing with incident response, legal review, and communications. Ensure apprentices and new hires understand these dependencies as part of onboarding.
- Metrics. Track DSAR turnaround time, accuracy, and customer satisfaction. Use the metrics to evaluate whether workforce initiatives are improving service levels and to identify training needs.
Federal partnerships and incentives
NCWES outlines numerous programs that employers can use. The CHIPS and Science Act funds Regional Innovation Engines, many of which include cyber workforce components. Employers located near these hubs can collaborate on curriculum design, internships, and co-op placements. The Department of Commerce’s Economic Development Administration is funding Good Jobs Challenge projects that create sectoral partnerships for cybersecurity roles. Companies should monitor grant announcements and consider serving on advisory boards to influence program design.
For federal contractors, NCWES signals increased scrutiny of workforce capabilities. Agencies may incorporate workforce criteria into contract evaluations, emphasizing certifications, apprenticeship participation, and diversity commitments. Contractors should prepare documentation demonstrating compliance with NCWES-aligned expectations, including DSAR competencies when contracts involve handling personal data. Aligning with NCWES can also support responses to agency requests for information (RFIs) and proposals that ask about cyber workforce strategies.
Strengthening the federal workforce and supply chain impact
Pillar 4 focuses on the federal workforce, directing agencies to simplify hiring, expand pay flexibilities, and improve retention. While targeted at government, these initiatives affect contractors and suppliers. For example, agencies adopting skills-based hiring may expect vendors to follow suit.
Federal retention incentives, such as special salary rates for cyber positions, may intensify competition for talent. Companies should benchmark compensation and consider joint training programs with agencies to maintain alignment. Sharing employees through the Cyber Talent Exchange Program, which enables temporary rotations between federal agencies and private firms, can deepen relationships while exposing staff to government DSAR practices and incident response coordination.
NCWES also emphasizes workforce analytics. The Office of Personnel Management will improve data on federal cyber positions, and ONCD plans to release dashboards tracking national progress. Private-sector employers should mirror this approach by building internal analytics capabilities that monitor hiring, retention, and skills gaps. Dashboards should link to DSAR performance, incident metrics, and compliance outcomes, enabling executives to show how workforce investments translate into resilience.
Equity and community engagement
The strategy highlights the need to engage underrepresented communities through initiatives like the Cybersecurity Education and Training Assistance Program (CETAP), CyberStart America, and collaborations with Historically Black Colleges and Universities (HBCUs), Hispanic-Serving Institutions (HSIs), Tribal Colleges and Universities (TCUs), and community teams. Companies can support these efforts via scholarships, mentorship, and donations of equipment or lab space. More importantly, engagement should include privacy and DSAR education so communities understand data rights and can pursue careers in digital trust. Firms may sponsor “Know Your Data Rights” workshops or integrate DSAR simulations into hackathons.
Employers should measure the effectiveness of equity initiatives by tracking demographic representation across cyber and privacy roles, analyzing promotion and retention data, and surveying employees about belonging and career support. Transparent reporting on progress can build trust with regulators and the public, while failure to show inclusion may attract scrutiny from investors focused on ESG metrics.
Practical next steps
To operationalize NCWES, teams can adopt a structured plan:
- Gap analysis. Benchmark current workforce practices against NCWES pillars. Identify gaps in skills-based hiring, apprenticeship participation, DSAR training, and diversity.
- program design. Develop or expand apprenticeship programs, create internal academies, and formalize partnerships with educational institutions. Include modules on privacy law, DSAR operations, and secure software lifecycles.
- Measurement and reporting. Build dashboards that track hiring pipelines, training completion, DSAR performance, and representation. Report progress to the board and incorporate highlights into SEC human capital disclosures and sustainability reports.
By embedding NCWES guidance into corporate governance, setup roadmaps, and DSAR operations, companies can address the talent shortfall while reinforcing customer trust. The strategy provides a federally endorsed framework for investing in people; teams that act now will be better positioned to handle evolving cyber threats, regulatory scrutiny, and the expectation that data rights are protected by a skilled, diverse workforce.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook
Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.
-
Network Security Fundamentals Explained Practically
A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…
-
Small Business Cybersecurity Survival Checklist
A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…
Coverage intelligence
- Published
- Coverage pillar
- Cybersecurity
- Source credibility
- 90/100 — high confidence
- Topics
- United States · Workforce development · Education · Critical infrastructure
- Sources cited
- 3 sources (hitehouse.gov, iso.org)
- Reading time
- 8 min
Further reading
- National Cyber Workforce and Education Strategy
- Fact Sheet: Biden-Harris Administration Launches National Cyber Workforce and Education Strategy
- ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
Comments
Community
We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.
No approved comments yet. Add the first perspective.