Looking Ahead at the
Cybersecurity Workforce at the
Federal Aviation Administration
Committee on Cybersecurity Workforce of the
Federal Aviation Administration
Board on Human-Systems Integration
Division of Behavioral and Social Sciences and Education
Computer Science and Telecommunications Board
Division on Engineering and Physical Sciences
A Consensus Study Report of
THE NATIONAL ACADEMIES PRESS
Washington, DC
www.nap.edu
THE NATIONAL ACADEMIES PRESS 500 Fifth Street, NW Washington, DC 20001
This activity was supported by contract number 692M15-19-T-00028 between the National Academy of Sciences and the Federal Aviation Administration. Any opinions, findings, conclusions, or recommendations expressed in this publication do not necessarily reflect the views of any organization or agency that provided support for the project.
International Standard Book Number-13: 978-0-309-39150-4
International Standard Book Number-10: 0-309-39150-4
Digital Object Identifier: https://doi.org/10.17226/26105
Additional copies of this publication are available from the National Academies Press, 500 Fifth Street, NW, Keck 360, Washington, DC 20001; (800) 624-6242 or (202) 334-3313; http://www.nap.edu.
Copyright 2021 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
Suggested citation: National Academies of Sciences, Engineering, and Medicine. 2021. Looking Ahead at the Cybersecurity Workforce at the Federal Aviation Administration. Washington, DC: The National Academies Press. https://doi.org/10.17226/26105.
The National Academy of Sciences was established in 1863 by an Act of Congress, signed by President Lincoln, as a private, nongovernmental institution to advise the nation on issues related to science and technology. Members are elected by their peers for outstanding contributions to research. Dr. Marcia McNutt is president.
The National Academy of Engineering was established in 1964 under the charter of the National Academy of Sciences to bring the practices of engineering to advising the nation. Members are elected by their peers for extraordinary contributions to engineering. Dr. John L. Anderson is president.
The National Academy of Medicine (formerly the Institute of Medicine) was established in 1970 under the charter of the National Academy of Sciences to advise the nation on medical and health issues. Members are elected by their peers for distinguished contributions to medicine and health. Dr. Victor J. Dzau is president.
The three Academies work together as the National Academies of Sciences, Engineering, and Medicine to provide independent, objective analysis and advice to the nation and conduct other activities to solve complex problems and inform public policy decisions. The National Academies also encourage education and research, recognize outstanding contributions to knowledge, and increase public understanding in matters of science, engineering, and medicine.
Learn more about the National Academies of Sciences, Engineering, and Medicine at www.nationalacademies.org.
Consensus Study Reports published by the National Academies of Sciences, Engineering, and Medicine document the evidence-based consensus on the study’s statement of task by an authoring committee of experts. Reports typically include findings, conclusions, and recommendations based on information gathered by the committee and the committee’s deliberations. Each report has been subjected to a rigorous and independent peer-review process and it represents the position of the National Academies on the statement of task.
Proceedings published by the National Academies of Sciences, Engineering, and Medicine chronicle the presentations and discussions at a workshop, symposium, or other event convened by the National Academies. The statements and opinions contained in proceedings are those of the participants and are not endorsed by other participants, the planning committee, or the National Academies.
For information about other products and activities of the National Academies, please visit www.nationalacademies.org/about/whatwedo.
COMMITTEE ON CYBERSECURITY WORKFORCE OF THE FEDERAL AVIATION ADMINISTRATION
DIANA L. BURLEY, Co-Chair, American University
TONYA L. SMITH-JACKSON, Co-Chair, North Carolina A&T State University
RODNEY C. ADKINS, 3RAM Group
JANDRIA S. ALEXANDER, Booz Allen Hamilton
MARILYN BARRIOS, Motorola Solutions
CHARLES BLAUNER, Cyber Aegis; Team8 Ventures
MICHAEL D. COOVERT, University of South Florida
BARBARA ENDICOTT-POPOVSKY, University of Washington
ERIC GROSSE, Security Consultant
ROBERT S. GUTZWILLER, Arizona State University
KATYA LE BLANC, Idaho National Laboratory
NAN SHELLABARGER, FAA (Retired)
Staff
DANIEL TALMAGE, Co-Study Director
BRENDAN ROACH, Co-Study Director
ADAM JONES, Senior Program Assistant
TOBY WARDEN, Board Director, Board on Human-Systems Integration
JON EISENBERG, Board Director, Computer Science and Telecommunications Board
MONICA STARNES, Senior Program Officer, Transportation Research Board
BOARD ON HUMAN-SYSTEMS INTEGRATION
FREDERICK OSWALD, Department of Psychology, Rice University, Chair
JAMES BAGIAN (NAE/NAM), Institute for Healthcare Policy and Innovation, University of Michigan, Ann Arbor
DIANA BURLEY, Graduate School of Education and Human Development, George Washington University
BARBARA DOSHER (NAS), School of Social Sciences, University of California, Irvine
MICA ENDSLEY, SA Technologies, Mesa, Arizona
EDMOND ISRAELSKI, AbbVie, North Chicago, Illinois
JOHN LOCKETT, United States Army Research Laboratory (Retired)
NAJMEDIN MESHKATI, Viterbi School of Engineering, University of Southern California
EMILIE ROTH, Roth Cognitive Engineering, Stanford, California
WILLIAM J. STRICKLAND, Human Resources Research Organization, Alexandria, Virginia
MATTHEW WEINGER, Vanderbilt University Medical Center
Staff
TOBY WARDEN, Director
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
LAURA HAAS (NAE), University of Massachusetts, Amherst, Chair
DAVID CULLER (NAE), University of California, Berkeley
ERIC HORVITZ (NAE), Microsoft Corporation
CHARLES ISBELL, Georgia Institute of Technology
BETH MYNATT, Georgia Institute of Technology
CRAIG PARTRIDGE, Colorado State University
DANIELA RUS (NAE), Massachusetts Institute of Technology
FRED B. SCHNEIDER (NAE), Cornell University
MARGO SELTZER, University of British Columbia
NAMBIRAJAN SESHADRI, University of California, San Diego
MOSHE VARDI (NAS, NAE), Rice University
Staff
JON EISENBERG, Director
This page intentionally left blank.
Preface
This report addresses the cybersecurity workforce challenges, and the strategic opportunities to meet those challenges, facing the Federal Aviation Administration (FAA) as it navigates the realities of modernization and an increasingly digitized National Airspace System (NAS). As the committee carried out its tasks, our knowledge and appreciation of the complexities associated with the FAA cybersecurity workforce has grown tremendously. The FAA is on par with other federal agencies in terms of the current capacity, capability, and diversity of its cybersecurity workforce. However, as the agency’s digital footprint increases, their attack surface and vulnerability to outside threats will increase as well. The critical mission of the FAA necessitates that the agency strategically build a workforce that is able to meet both current and future needs.
The global demand for well-trained cybersecurity professionals in both industry and government continues to grow, and the tight labor market shows no signs of slowing. Given the strong demand, the FAA should simultaneously enact both short- and longer-term strategies to fill workforce needs. Fortunately, numerous opportunities exist for the FAA to grow the pool of available candidates and to develop capacity within their existing workforce. Through the varied recruitment and workforce development initiatives offered as recommendations throughout this report, the FAA can build a diverse pool of highly qualified candidates and strengthen workforce enhancement efforts.
We wish to express our deep appreciation to the members of the committee for their diligent and dedicated contributions. The committee’s expertise and knowledge were indispensable throughout our deliberations. Their efforts, which often required working nights and weekends, are particularly notable given the incredibly challenging year. We cannot thank them enough. On behalf of the entire committee, we also wish to thank the National Academies of Sciences, Engineering, and Medicine staff for their outstanding support and guidance. We are also deeply appreciative to Heather Kreidler for her writing and fact checking. The report benefited deeply from the editing skills of Laura Yoder. Additionally, we want to express our sincere gratitude to everyone who contributed their time, expertise, and experiences to our committee. The presentations, resources, and insights contributed immensely to our deliberations. Finally, we wish to thank the FAA staff for their partnership and forthright participation throughout this process. We offer this report in the spirit of that partnership and believe that the concrete, actionable recommendations provided within will aid agency leaders as they continue to build the cybersecurity workforce and achieve their mission of providing the “safest, most efficient aerospace system in the world.”
Diana Burley and Tonya Smith-Jackson, Co-Chairs
Committee on Cybersecurity Workforce of the Federal Aviation Administration
This page intentionally left blank.
Acknowledgment of Reviewers
This Consensus Study Report was reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise. The purpose of this independent review is to provide candid and critical comments that will assist the National Academies of Sciences, Engineering, and Medicine in making each published report as sound as possible and to ensure that it meets the institutional standards for objectivity, evidence, and responsiveness to the study charge. The review comments and draft manuscript remain confidential to protect the integrity of the deliberative process.
We thank the following individuals for their review of this report: Leisel Bogan, Congressional Digital Service Fellowship; David J. DeRosier, Department of Biology (emeritus), Brandeis University; Michael A. Echols, Max Cybersecurity LLC; R John Hansman, International Center for Air Transportation, Massachusetts Institute of Technology; Michael P. Huerta, MPH Consulting, LLC; Nani Lee, consultant, Waimea-South Kohala, Hawai’i; Michelle Monsees, consultant, Fairfax County, Virginia; Frederick L. Oswald, Department of Psychology, Rice University; and Juan Perez, United Parcel Service.
Although the reviewers listed above have provided many constructive comments and suggestions, they were not asked to endorse the conclusions or recommendations of this report nor did they see the final draft before its release. The review of this report was overseen by Jennie S. Hwang, H-Technologies Group, and Wesley L. Harris, Department of Aeronautics and Astronautics, Massachusetts Institure of Technology. They was responsible for making certain that an independent examination of this report was carried out in accordance with the standards of the National Academies and that all review comments were carefully considered. Responsibility for the final content of the report rests entirely with the authoring committee and the National Academies.
This page intentionally left blank.
Contents
2. CURRENT AND FUTURE CYBERSECURITY LANDSCAPE FOR THE FEDERAL AVIATION ADMINISTRATION
Organization and Structure of the FAA
The Cybersecurity Workforce of the FAA
The FAA’s Current Cybersecurity Workforce
U.S. Cybersecurity Labor Market
Statutory and Regulatory Requirements
The FAA’s Future Cybersecurity Workforce
3. MANAGING THE CAREER/EMPLOYEE LIFECYCLE FOR A DIVERSE CYBERSECURITY WORKFORCE
Characteristics of the Cybersecurity Workforce in the 21st Century
Characteristics of the Cybersecurity Workforce
Cybersecurity Workforce Labor Market
Diversity in the 21st Century Cybersecurity Workplace
Federal Cyber Talent Development
Federal Recruitment Flexibilities
Scholarship Opportunities and FAA Recruitment
Recruiting for Diversity in the FAA Cybersecurity Workforce
Diversity and Inclusion in Organizational Culture
FAA Talent Development and Advancement
Workforce Strategies and Best Practices
Development of Cybersecurity Awareness in Organizations
Coordination with Human Resources
Using the NICE Framework as a Guide to Identify Intense Personal Interest
Conclusions and Recommendations
4. ADDITIONAL EMPLOYEE AND ORGANIZATIONAL CONSIDERATIONS
Career Advancement and Development
Human Capital in the Workplace
Diversity Through College-Level Talent Pipeline Development
Student-Level Talent Pipeline Development
FAA Talent Pipeline Development
Skill Development and Training Through Certification
Cybersecurity Organizational Stucture and Design
The CISO as a Senior Executive
Hybrid/Federate First Line CISO Teams
Concluding Thoughts on Organizational Structure and Design
Conclusions and Recommendations
This page intentionally left blank.