Nontechnical Professionals Follow Path to Cybersecurity Work
An immersive reskilling academy demonstrates exceptional promise.
A new federal cyber academy aims to help relieve the shortage in skilled cyber workers. The inaugural Federal Cybersecurity Reskilling Academy graduating class demonstrates that individuals with high aptitude and motivation can be successful in technical training and can gain the skills needed to enter the national cybersecurity workforce.
The genesis of the academy was the President’s Management Agenda, which made reskilling staff a key strategy in modernizing the federal government. The Federal Cyber Reskilling Academy (FCRA) allows personnel identified through an aptitude assessment to take part in a three-month immersive training program that results in industry-recognized certifications required to work the cybersecurity field. The program was provided at no cost to the candidates.
Through a strategic partnership comprising the U.S. Department of Education, the Office of Management and Budget, and the CIO Council, the program launched in November 2018. Participants hailed from such varied noncyber backgrounds as engineering, law, budget analysis, the military, law enforcement and event management.
“Cybersecurity is a key priority for this administration,” Suzette Kent, federal chief information officer, Office of Management and Budget, noted when she announced the academy opening. “This is why we need to continue to transform and modernize our efforts to improve our cyber posture. I’m thrilled to see the Federal Cyber Reskilling Academy pilot class take off as a path to train federal employees to join our cyber defenders.”
The FCRA pilot objective was to determine if federal employees with limited or no information technology or cybersecurity background could become skilled in the field. Graduates could then choose to immediately move into entry-level cyber defense, incident handling, incident response and digital forensics jobs as well as Security Operations Center analyst positions.
To help design the program, the government turned to Patriot Strategies, a service-disabled, veteran-owned small business, and the SANS Institute for the aptitude assessments, foundational and advanced training, and accredited Global Information Assurance Certifications (GIACs) to validate the newly acquired skills.
To begin the program, the CIO Council accepted applications from all federal workers outside the information technology specialist and computer scientist fields, called occupational series 2210 and 1550, respectively. When the application period opened, the response was overwhelming, notes Margie Graves, federal deputy chief information officer. “We thought maybe we would have a couple hundred applicants. We had 1,517 applications for the first cohort,” she says.
Applicants submitted a personal statement detailing their career goals related to the program and completed the SANS CyberTalent Aptitude Assessment. The assessment tool was developed using common measurement and testing standards to help determine if an individual could succeed in information security.
As a result of the assessments, the number of potential candidates was whittled down to 287. After reviewing these results and the personal statements, a government team interviewed 50 potential students, and 30 individuals were chosen to take part in the first immersive training class.
The training consists of CyberStart Essentials; the CyberStart Game; SEC401: Security Essentials Boot Camp Style and the GIAC Security Essentials Certification; SEC504: Hacker Tools, Techniques, Exploits and Incident Handling and the GIAC Certified Handler (GCIH) certification; and the NetWars continuous cyber range.
During the first week of academy coursework, the candidates assembled for an in-person training workshop at the Department of Education headquarters to begin the SANS CyberStart Essentials course. This weeklong workshop included more than 20 hands-on lab exercises before continuing on with an additional 120 hours of virtual training in modules comprising labs, additional exercises, quizzes and exams to measure students’ progress throughout the course.
During the course, students learned the basics: from the role of the central processing unit to how it executes code to how attackers disrupt intended behaviors. The course also includes information about network protocols and constructs as well as the inner workings of data packets.
This foundational knowledge aims at dramatically increasing students’ rapid and successful progression through deeper cybersecurity training. It ensures they understand the fundamental components of hardware and software so they can later employ digital forensics to reconstruct an incident or crime or identify flaws in software that could be exploited.
“Having entered this program with minimal computer literacy, the Essentials course provided a foundation upon which I was able to recognize key terms and processes, normalizing them in memory and making the material I’ve encountered in SEC401 and SEC504 more easily digestible,” explains Tyler Belec, member of the first FCRA graduating class. “Further, the Essentials course enabled familiarity with crucial systems such as virtual machines, Linux terminal, command prompt.”
Throughout the intensive coursework, the students of the inaugural class were provided with a technical mentor to answer questions about the course material, help them prepare for the certifications, and discuss challenges and best practices. Academy mentor Tim Garcia, who is an information security engineer for a Fortune 100 financial institution, holds eight GIAC certifications and is a SANS-certified instructor, conducted weekly status calls with the class and hosted one-on-one calls and chat sessions via Slack with the students.
In addition to mentorship, the students had access to CyberStart Game. This highly interactive program features more than 300 hours of content and uses gamification principles and game design techniques to introduce students to cybersecurity. Online challenges and puzzles enable students to tackle realistic examples of the threats cybersecurity practitioners face in the field. The student experiences a broad introduction to cybersecurity with scenarios that range from social engineering to web vulnerabilities to forensic investigation to Python programming. The FCRA students used the game to hone many of the skills and techniques they were learning in CyberStart Essentials.
Upon completion of CyberStart Essentials, the students took the SEC401: Security Essentials boot camp course. They were taught subject matter across many disciplines to ensure they had a core set of skills and knowledge to enable them to serve many roles within an organization effectively. The boot camp includes more than 18 hands-on labs spanning 10 hours of the classroom time to reinforce course content with free open-source tools.
The following three weeks comprised self-study with support from the academy mentor. During this time, all students could attempt two GSEC practice exams in preparation for the proctored exam. The test validates that certification holders can apply essential information security skills, techniques and theories beyond simple terminology and concepts. Professionals holding the GSEC are qualified for hands-on responsibilities within information technology system security roles.
For individuals who came into the academy with little to no background in cybersecurity or information technology, the exam results proved an outstanding testament to the success of the program and the participants’ hard work. The FCRA students’ first-attempt pass rate on the GSEC was 96 percent and their first attempt average score was 88 percent, both substantially higher than the industry standard.
After completing SEC401 and the GSEC certification, academy students attended the SEC504: Hacker Tools, Techniques, Exploits and Incident Handling course at SANSFIRE 2019, a large public training event in Washington, D.C. The course taught them the methods, techniques and tools today’s threat actors most commonly use, how to proactively posture an organization prior to an incident, and how to respond to incidents when they occur. This live training culminated with a live capture-the-flag exercise.
While at SANSFIRE, many students also took part in NetWars tournaments, a series of hands-on cybersecurity ranges in which individuals and/or teams compete to locate vulnerabilities, exploit diverse machines, analyze systems and defend their turf. Students honed their skills in areas such as vulnerability assessment, packet analysis, penetration testing and system hardening. FCRA students receive continuous online access to NetWars to refine and maintain their skills after graduation. Following the SEC504 training, the students prepared for their GIAC Certified Handler (GCIH) certification.
GCIHs have demonstrated they can manage security incidents by understanding common attack techniques, vectors and tools as well as defend against and/or respond to such attacks when they occur. The certification focuses on methods used to detect, respond and resolve computer security incidents. Professionals holding a GCIH certification are qualified for hands-on and leadership positions within incident handling teams. To date, FCRA participants have a 91 percent first-attempt pass rate on the GCIH exam, which is higher than the industry average.
Graduates from this academy have the knowledge, skills and abilities to perform the roles defined by the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework to positively impact the federal government’s cybersecurity posture against the myriad threats it faces daily.
The second group of FCRA candidates began their training in July. Applications were accepted from personnel with various backgrounds, including experience in information technology. Comtech Telecommunications Corporation conducted the second cohort’s training.
Government leaders are considering how to proceed after the first two pilot programs. One option is to pursue a large-scale reskilling program that could have a major impact on their efforts to close the critical cybersecurity vacancies and defend the nation’s networks and critical infrastructure.
John Nix is the director of SANS Federal. SANS Institute is an AFCEA International Preferred Provider.