6 U.S. Code § 146. Cybersecurity workforce assessment and strategy
(a) Workforce assessment
(1) In general
(2) ContentsThe assessment required under paragraph (1) shall include, at a minimum—
an assessment of the readiness and capacity of the workforce of the Department to meet its cybersecurity mission;
information on where cybersecurity workforce positions are located within the Department;
(C) information on which cybersecurity workforce positions are—
(i) performed by—
permanent full-time equivalent employees of the Department, including, to the greatest extent practicable, demographic information about such employees;
individuals employed by other Federal agencies, including the National Security Agency; or
(D) information on—
the percentage of individuals within each Cybersecurity Category and Specialty Area who received essential training to perform their jobs; and
(b) Workforce strategy
(1) In generalThe Secretary shall—
not later than 1 year after December 18, 2014, develop a comprehensive workforce strategy to enhance the readiness, capacity, training, recruitment, and retention of the cybersecurity workforce of the Department; and
(2) ContentsThe comprehensive workforce strategy developed under paragraph (1) shall include a description of—
a multi-phased recruitment plan, including with respect to experienced professionals, members of disadvantaged or underserved communities, the unemployed, and veterans;
a 5-year implementation plan;
a 10-year projection of the cybersecurity workforce needs of the Department;
any obstacle impeding the hiring and development of a cybersecurity workforce in the Department; and
(c) UpdatesThe Secretary submit  to the appropriate congressional committees annual updates on—
the progress of the Secretary in carrying out the comprehensive workforce strategy required to be developed under subsection (b).
Section was enacted as part of the Cybersecurity Workforce Assessment Act, and not as part of the Homeland Security Act of 2002 which comprises this chapter.
Homeland Security Cybersecurity Workforce Assessment
This section may be cited as the ‘Homeland Security Cybersecurity Workforce Assessment Act’.
“(b)Definitions.—In this section:
“(1)Appropriate congressional committees.—The term ‘appropriate congressional committees’ means—
the Committee on Homeland Security and Governmental Affairs of the Senate;
the Committee on Homeland Security of the House of Representatives; and
the Committee on House Administration of the House of Representatives.
“(2)Cybersecurity work category; data element code; specialty area.—
The terms ‘Cybersecurity Work Category’, ‘Data Element Code’, and ‘Specialty Area’ have the meanings given such terms in the Office of Personnel Management’s Guide to Data Standards.
The term ‘Department’ means the Department of Homeland Security.
The term ‘Secretary’ means the Secretary of Homeland Security.
“(c)National Cybersecurity Workforce Measurement Initiative.—
“(1)In general.—The Secretary shall—
identify all cybersecurity workforce positions within the Department;
determine the primary Cybersecurity Work Category and Specialty Area of such positions; and
assign the corresponding Data Element Code, as set forth in the Office of Personnel Management’s Guide to Data Standards which is aligned with the National Initiative for Cybersecurity Education’s National Cybersecurity Workforce Framework report, in accordance with paragraph (2).
“(A)Procedures.—Not later than 90 days after the date of the enactment of this Act [Dec. 18, 2014], the Secretary shall establish procedures—
to identify open positions that include cybersecurity functions (as defined in the OPM Guide to Data Standards); and
to assign the appropriate employment code to each such position, using agreed standards and definitions.
“(B)Code assignments.—Not later than 9 months after the date of the enactment of this Act, the Secretary shall assign the appropriate employment code to—
“(d)Identification of Cybersecurity Specialty Areas of Critical Need.—
“(1)In general.—Beginning not later than 1 year after the date on which the employment codes are assigned to employees pursuant to subsection (c)(2)(B), and annually through 2021, the Secretary, in consultation with the Director, shall—
identify Cybersecurity Work Categories and Specialty Areas of critical need in the Department’s cybersecurity workforce; and
“(B) submit a report to the Director that—
describes the Cybersecurity Work Categories and Specialty Areas identified under subparagraph (A); and
substantiates the critical need designations.
“(2)Guidance.—The Director shall provide the Secretary with timely guidance for identifying Cybersecurity Work Categories and Specialty Areas of critical need, including—
current Cybersecurity Work Categories and Specialty Areas with acute skill shortages; and
Cybersecurity Work Categories and Specialty Areas with emerging skill shortages.
“(3)Cybersecurity critical needs report.—Not later than 18 months after the date of the enactment of this Act, the Secretary, in consultation with the Director, shall—
identify Specialty Areas of critical need for cybersecurity workforce across the Department; and
submit a progress report on the implementation of this subsection to the appropriate congressional committees.
“(e) Status Reports.—The Comptroller General of the United States shall—
analyze and monitor the implementation of subsections (c) and (d); and
not later than 3 years after the date of the enactment of this Act, submit a report to the appropriate congressional committees that describes the status of such implementation.”
“In this Act [enacting this section and provisions set out as a note under section 101 of this title]—
the term ‘Cybersecurity Category’ means a position’s or incumbent’s primary work function involving cybersecurity, which is further defined by Specialty Area;
the term ‘Department’ means the Department of Homeland Security;
the term ‘Secretary’ means the Secretary of Homeland Security; and
the term ‘Specialty Area’ means any of the common types of cybersecurity work as recognized by the National Initiative for Cybersecurity Education’s National Cybersecurity Workforce Framework report.”
 So in original.