Organization and Structure of the FAA

To carry out its mission, the FAA is organized into five “lines of business” that provide services external to the agency, and nine staff offices that provide the in-house support and expertise for the agency. Each of these 14 units report to the FAA Administrator. The five lines of business are Air Traffic Organization, Aviation Safety, Airports, Commercial Space Transportation, and Security and Hazardous Materials Safety.¹ Like most U.S. government agencies, the staff offices include functions for personnel, legal, policy, and finance. Other services are internally focused. A large staff office is Human Resources Management, which provides agency-wide support for human capital management including employment, compensation and benefits, workplace environment, and learning and development. Specifically relevant to this study, the FAA has implemented a “shared services” staff office to provide agency-wide support for financial management, acquisitions and business services, and information and technology. Thus, the CISO reports to the Chief Information Officer (CIO), who in turn reports to the Assistant Administrator for Finance and Management, who reports to the FAA Administrator. See Figures 2-1 and Figure 2-2.

The largest unit within the FAA that houses cybersecurity professionals is the Air Traffic Organization (ATO). The ATO is responsible for providing safe and efficient air navigation services² and consists of air traffic controllers and the personnel who manage the program, and engineers and technical staff responsible for designing, installing, and maintaining the infrastructure needed to perform the functions integral to air traffic control. In addition, the ATO provides technical training for its staff, safety analysis for its operations, and physical and cybersecurity for its assets.

FAA headquarters are in Washington, DC. Additionally, field organizations are located throughout the country and various places in other countries. The FAA William J. Hughes Technical Center, in Atlantic City, New Jersey,

___________________

¹ More information is available at: https://www.faa.gov/jobs/who_we_are/our_business/#orgchart.

² More information is available at: https://www.faa.gov/about/office_org/headquarters_offices/ato/.

is the nation’s premier air transportation laboratory.³ This center’s highly technical workforce conducts testing and evaluation, oversees verification and validation, supports the sustainment of the FAA’s full spectrum of aviation systems, and conducts applied research and development. The Mike Monroney Aeronautical Center, located in Oklahoma City, Oklahoma, houses the FAA Academy, the Enterprise Services Center, and several other business support functions.⁴

The FAA’s annual budget is approximately $18.1 billion. The operations account, which funds most cybersecurity employees, is approximately $11.0 billion, and is considered, in federal budget parlance, “discretionary” (DOT, 2020, p. 3). This means, as a practical matter, the operations account is subject to annual appropriations and, in the event of a partial government shutdown, is likely to be impacted. In the committee’s judgement this has the potential to pose a risk to the cybersecurity program in attracting and retaining cybersecurity professionals.

THE CYBERSECURITY WORKFORCE OF THE FAA

The FAA’s Current Cybersecurity Workforce

The total FAA workforce consists of just over 45,000 people⁵ located across the globe working in various locations including airports, regional offices and centers, and the Washington, DC, headquarters. There are a wide range of employees including technical, industrial, and business professionals throughout the agency.⁶

Cybersecurity workforce jobs in the FAA, as defined by the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (see Box 2-1) for classifying functions, are not all centralized within the cybersecurity organization, nor are the majority of the employees located at the Washington, DC, headquarters. The FAA’s IT and cybersecurity workforce numbers less than 1,400 individuals, who are spread throughout the agency and geographically dispersed across the nation (FAA, 2020b). Just under half of them are organizationally housed in the Office of Information and Technology (AIT). It is common for large public and private organizations to structure in this way—with a central security organization emphasizing professional depth and broad agency perspective, and line experts working on the security priorities of their individual mission teams—using strong informal communication to connect and align actions across the various teams. Nearly 50 percent of the cybersecurity professionals are organizationally housed in the information technology (IT) organization. Of the remaining cybersecurity staff members, approximately 40 percent work for the ATO (FAA, 2020b), and the rest (just over 10%) are engaged with the development of new technology (that is, aligned with agency intelligence and security functions) or in other operational units.

To gain a more robust understanding of its cybersecurity workforce, the FAA analyzed the workforce against the NICE Workforce Framework. Through that process, the FAA identified 53 total roles, including 36 specific cybersecurity roles, 10 general IT (cyber-related) roles, 6 support roles, and 1 “not applicable” role for all others (FAA, 2020a). The major contributing cybersecurity roles that were documented include Cyber Defense Incident Responder, Systems Security Analyst, Security Control Assessor, Security Architect, System Administrators, System Testing and Evaluation Specialist, Systems Security Developer, Cyber Crime Investigator, and Information System Owner (FAA, 2020a).

Geographically, the largest group of cybersecurity employees are based at the William J. Hughes Technical Center in New Jersey, including at least one-half of the ATO cybersecurity employees (FAA, 2020b). The second largest group is based in Oklahoma, including more than one-third of the AIT cybersecurity employees. Washing-

___________________

³ More information about the William J. Hughes Technical Center is available at: https://www.faa.gov/about/office_org/headquarters_offices/ang/offices/tc/.

⁴ More information about the Mike Monroney Aeronautical Center is available at: https://www.faa.gov/about/office_org/regions_centers/mmac/.

⁵ FAA Administrator’s Fact Book (December 2020), p. 24. Available at https://www.faa.gov/news/media/2020_Administrators_Fact_Book.pdf.

⁶ Data provided by the sponsor to the committee on April, 20, 2020.

ton, DC, headquarters staff, along with staff based in Virginia and Maryland, comprise approximately 20 percent of the workforce (FAA, 2020b).⁷

Nearly one-third of the FAA cybersecurity workforce is female, while women represent only 21 percent of the cybersecurity workforce across North America.^8,9 The committee commends the FAA for this, yet it is important

___________________

⁷ Data confirmed by sponsor on March 29, 2021.

⁸ More information about (ISC)² is available at: https://www.isc2.org/-/media/ISC2/Research/2020/Workforce-Study/ISC2ResearchDrivenWhitepaperFINAL.ashx?la=en&hash=2879EE167ACBA7100C330429C7EBC623BAF4E07B.

⁹ The 21 percent was based on survey data collected from 3,790 security professionals at all levels, drawn from small, medium, and large organizations throughout North America, Europe, Latin America (LATAM), and the Asia-Pacific region (APAC).

that the FAA does not become complacent and that it continues to focus on developing a diverse workforce. Ethnic diversity in the cybersecurity workforce is similarly imbalanced with combined global minority representation at approximately 26 percent.¹⁰ Within the FAA, more than 66 percent of cybersecurity employees are White (FAA, 2020b). African American or Black employees make up approximately 13 percent of the workforce, Hispanic or Latino employees are approximately 4 percent, and the remaining 17 percent either identified as another ethnic minority or did not specify (FAA, 2020b).¹¹ The committee encourages the FAA to drill down on the composition of the unknown 17 percent so an accurate accounting of the true minority rate can be made, and appropriate actions can be taken.

Finding 2-1: The FAA can expand representation of both women and minorities in its cybersecurity workforce. The agency is better than average with diversity workforce trends for women but may lag behind global percentages for underrepresented minorities in the cybersecurity workforce. Additional information on the racial composition of the FAA cybersecurity workforce is required to accurately describe the current state.

A growing share of the federal workforce is reaching retirement eligibility, and the FAA is not immune to this reality.¹² The Partnership for Public Service reports that in June 2019, “roughly one-third of employees onboard at the beginning of fiscal 2019 will be eligible to retire by the end of fiscal 2023.”¹³ For the federal IT workforce, in which most cybersecurity positions are classified, this “age disparity is even more striking . . . , with 19 times more employees over 50 than under 30.”¹⁴ Within the FAA, approximately one-fourth of the agency’s cybersecurity employees are currently eligible for retirement, and nearly two-thirds of the employees are over age 50 (FAA, 2020b). Anecdotal evidence from the FAA suggests that employees stay past retirement eligibility because they enjoy the mission and are satisfied with the work environment. The seniority-based pay scale can also incentivize longevity. While a workforce with a growing number of workers eligible for retirement can be evidence of strong employee retention, it can also present potential challenges that come with sudden mass retirement and unacceptable levels of organizational knowledge loss.

Finding 2-2: A growing proportion of the cybersecurity workforce of the FAA is reaching retirement eligibility and, as a result, the agency is vulnerable to losing a significant portion of its cybersecurity workforce to retirement.

The FAA is heavily unionized. Managers and employees in certain sensitive positions are excluded from union bargaining units, and while more than 30 percent of the FAA’s cybersecurity positions are not represented by a union, nearly 70 percent are (FAA, 2020b). Seventeen different bargaining units in total represent employees identified as holding NICE-defined cybersecurity positions. The largest bargaining unit, under the National Air Traffic Controllers Association umbrella, covers the IT cybersecurity employees and represents 25 percent of the total cybersecurity workforce. Contract staff, who may or may not be represented by a union, also support the agency in cybersecurity functions.

Finding 2-3: Unions represent a significant portion of the FAA cybersecurity workforce and should be considered as integral partners with the FAA in the recruitment and retention of the cybersecurity workforce.

___________________

¹⁰ More information about the Innovation Through Inclusion report is available at: https://www.isc2.org/-/media/Files/Research/InnovationThrough-Inclusion-Report.ashx.

¹¹ Data confirmed by sponsor on March 29, 2021.

¹² Text modified June 2021 to clarify that the challenges facing the FAA specifically relate to potential near-term labor shortages caused as retirement-eligible employees leave the workforce. Similar changes have been made on the following pages of the report: 23, 38, 59, 61, 66, and 76.

¹³ More information is available at: https://ourpublicservice.org/roadmap-for-renewal/talent.

¹⁴ More information is available at: https://ourpublicservice.org/wp-content/uploads/2020/08/A-Time-for-Talent.pdf.

___________________

¹⁵ More information is available at: https://www.onetonline.org/link/summary/15-1212.00.

¹⁶ More information is available at: http://danluu.com/hiring-lemons/.

a priority (OMB, 2016). The memorandum detailed measures to “identify, expand, recruit, develop, retain, and sustain a capable and competent workforce in key functional areas to address complex and ever-evolving cyber threats” (OMB, 2016, p. 2). In addition, new approaches to tackle constant workforce challenges within the federal government were presented. The OMB projected that there would be a “return on its investment through enhancements to Federal cybersecurity and the improved knowledge, skills, and abilities incoming cybersecurity talent bring to the Federal workforce” (OMB, 2016, p. 2).

In terms of legislation, the Federal Cybersecurity Workforce Assessment Act of 2015 (P.L. 114-113) requires all federal agencies, including the FAA, to undertake several workforce planning activities for the cybersecurity workforce.¹⁷ In particular, the Act requires the U.S. Office of Personnel Management (OPM), in coordination with the National Institute of Standards and Technology (NIST), to develop a cybersecurity coding structure aligning with the work roles identified in the NICE Framework. The Act requires agencies to identify and code all federal IT, cybersecurity, and cyber-related positions. Additionally, agencies must identify cybersecurity work roles of critical need in the workforce.

To meet the requirement, in fiscal 2019, the FAA identified all federal cybersecurity and cyber-related positions and personnel within the agency. The positions and personnel were then categorized based on OPM cybersecurity codes/roles (occupations) for the entire agency.

Institutional Policies

The FAA developed a 2020–2025 Cybersecurity Strategy, which articulates the FAA’s five cybersecurity goals (FAA, 2020a).¹⁸ Goal number four relates to building and maintaining workforce capabilities for cybersecurity and lays out four objectives:

• Objective 1: Enhance FAA-wide cybersecurity training, education, and awareness program.
• Objective 2: Support cyber workforce training through participation in exercises.
• Objective 3: Ensure personnel having cybersecurity responsibilities receive appropriate role-based training.
• Objective 4: Enhance FAA competitiveness in cybersecurity hiring and retention through the adoption of the current Federal IT Job Series.

During the first committee data-gathering meeting, the FAA sponsor demonstrated that they have been working to assign the cybersecurity workers to key areas and to ensure that those workers receive the training that is needed to perform their work. In addition, by using the NICE Framework, the FAA has been able to post positions that are more in line with other government agencies’ cybersecurity postings (FAA, 2020a).

The GS-334 series was established in 1980 by OPM for the Computer Specialist Series, which was universal across the government. It was replaced with the GS-2210 Information Technology Management Series.¹⁹ However, until 2019, the FAA continued using the 334 series; this meant that if an individual were looking for a job and searching for the 2210 series, they would not necessarily find FAA positions of the 334 series classification. This has now been remedied at the FAA (FAA, 2020a).

Hiring

Numerous cybersecurity workforce challenges are facing the FAA as described throughout this report. Hiring and retaining employees with the right skill sets is one of these challenges. Compared to other federal agencies, the FAA has in the committee’s judgement a lower profile among cybersecurity students but has an especially

___________________

¹⁷ The Federal Cybersecurity Workforce Assessment Act is contained in the Consolidated Appropriations Act of 2016 (Public Law 114-113) enacted on December 18, 2015 (see pgs. 735–737) and available at: https://www.congress.gov/114/plaws/publ113/PLAW-114publ113.pdf.

¹⁸ Note this strategy document is updated yearly and the title years change. At press the current version is 2021–2026.

¹⁹ More information is available at: https://www.opm.gov/policy-data-oversight/classification-qualifications/general-schedule-qualificationstandards/0300/gs-2210-information-technology-management-series/.

appealing mission. Anecdotally, it pays well compared to many competing agencies. Compared to private employers, the FAA may not pay as highly but offers more stable employment and an attractive culture. With regard to the hiring process, identifying, recruiting, and training for the necessary skills is vital. In addition to advertised job requirements, there are additional success factors the committee believes many managers are seeking (e.g., federal government standards of conduct such as trustworthiness and integrity, a team player, mission-driven, go the extra mile). These are qualities the committee believes the FAA strives for because the goal is not only to protect infrastructure, but also to protect safety.

The FAA uses several recruitment and outreach programs to attract recent graduates to a range of STEM roles, including cybersecurity positions, within the agency.²⁰ There has been significant outreach toward minority-serving institutions, though more could be done. These programs are not “cyber” specific, but rather address general human resources programs employed at the agency.

The FAA recruiting and compensation processes have limitations based in law and regulation. While the FAA has significant unique flexibilities because of legislative relief enacted 25 years ago (OPM, 2018), it has proven difficult in practice to fully exploit these advantages. Subsequent government-wide legislation and executive branch personnel initiatives have amended the FAA’s original authority, and there is not always clarity about the application of these initiatives to the FAA. The FAA may also voluntarily adopt some of these government-wide initiatives. The FAA remains part of DOT and the federal government, and agency actions need to be taken within the civilian executive branch context. Thus, DOT, OMB, and OPM may need to be consulted or required to approve processes or procedures. While the FAA has unique personnel authorities, DOT and OMB will often strive for consistency across the department or the government. Therefore, since they can effectively overrule the FAA, this need for consultation or approval can have the effect of limiting the flexibility that appears to exist on paper. In addition, the FAA is heavily unionized, and changes in practices may require bargaining for contract amendments or an impact and implementation agreement.

DOT policies require that most hiring requirements be approved at the department level prior to advertisement and filling, and approval is not guaranteed. Hiring is necessarily impacted by the annual appropriations process, for example. Once approved for filling a position, the FAA has an 80-day hiring model and generally, positions are not open for long periods, but some positions are not filled within 80 days (Audet, 2020).

It can be a lengthy process to onboard a new employee, taking anywhere from 2 months to 1 year, including the initial approval time (Audet, 2020). From a hiring standpoint, by the time an applicant receives a job offer, they have often accepted a position elsewhere. Some of this has to do with the background check process, and some of this has to do with HR processing. For certain jobs, national security clearance is also needed, and that can add an often indeterminant delay.

The President’s Management Agenda (PMA) placed an “emphasis on implementing a variety of improved workforce strategies, including . . . maximizing the use of currently available tools and authorities to help address some of [the] most pressing hiring needs.”²¹ In 2018, OPM authorized new direct-hire appointing authorities for cybersecurity and related positions where a “severe shortage of candidates and/or critical hiring needs” have been identified (OPM, 2018). Even with direct-hire authority for a position, there are parameters specific to the job, and these parameters are often customized further by location.

According to OPM, direct-hire authority is available for use to fill vacant positions (OPM, 2018). Hiring categories are positions that have a severe Shortage of Candidates and/or Critical Hiring Need, which include certain Scientific, Technical, Engineering, and Mathematics (STEM), Cybersecurity, and Specialized Occupations (e.g., Medical Officer).²² The cybersecurity positions this currently applies to include:

___________________

²⁰ Focus group discussion with FAA managers and committee members, August 21, 2020. All discussions were conducted in confidentiality, and the names of the participants are withheld by mutual agreement.

²¹ More information is available at: https://www.chcoc.gov/content/delegation-direct-hire-appointing-authority-it-positions.

²² More information is available at: https://www.opm.gov/policy-data-oversight/hiring-information/direct-hire-authority/#url=GovernmentwideAuthority.

___________________

²³ More information is available at: https://www.opm.gov/policy-data-oversight/classification-qualifications/general-schedule-qualificationstandards/0800/computer-engineering-series-0854/.

²⁴ More information is available at: https://www.faa.gov/jobs/search_jobs/direct_hiring_authorities/.

²⁵ More information is available at: https://www.jstor.org/stable/40861921?seq=1#metadata_info_tab_contents and https://smallbusiness.chron.com/seniority-important-union-13338.html.

²⁶ More information is available at: https://www.faa.gov/jobs/students/internships/minority/.

___________________

²⁷ Focus group discussion with FAA employees and committee members, August 20, 2020. All discussions were conducted in confidentiality, and the names of the participants were withheld by mutual agreement.

²⁸ Focus group discussion with FAA employees and committee members, August 20, 2020.

²⁹ More information about the program is available at: https://www.faa.gov/jobs/working_here/career_growth_development/.

³⁰ Sponsor response to committee question. April 20, 2020.

³¹ Sponsor response to committee question. April 20, 2020.

ment job. It was noted that there are instances where the FAA pay grades are above the rest of government for similar jobs, and that this was an effective recruiting inducement. Interviewees expressed a desire to interact with the larger cybersecurity community and with the intelligence community. Loss of higher-level security clearances upon moving into cybersecurity was noted as a negative. Many of the participants in the focus groups had been government contractors before joining the FAA. There was appreciation for the work of contractors in the more routine jobs, but some feeling that more interesting and strategic roles were also done by contractors, to the detriment of the FAA and employee opportunity.³²

Contractors

Competition for providing commercial services and goods to the federal government has increased and decreased over the years and is intended to create savings and efficiency in government functions. Many services that used to be performed within the FAA are now outsourced to contractors who help fill some of the gaps in the existing federal workforce. There are numerous benefits to the federal government in hiring contractors to perform various cybersecurity tasks (FAA, 2020a). For example, contractors can be used without having to invest in the costs of their development. There are also benefits on the employee side. Contractor positions typically pay more, and such positions are easier to apply for and obtain.³³ On the other hand, government positions are known for employment security and stability, better sick and annual leave, and providing a sense of service to the nation. Yet, there are also government workers who can leave their current position and come back the next day as a contractor making more money, while not having to report to their previous supervisors (Hernandez, 2020).

The FAA’s Future Cybersecurity Workforce

As result of the FAA expansion of missions and the sophistication of emerging cybersecurity threats, the future FAA cybersecurity workforce will need to adapt by expanding staff skill sets from multiple domains.³⁴ The cybersecurity workforce will need to continue supporting traditional enterprise infrastructure and security operation center needs, in addition to providing subject matter expertise and program oversight of cybersecurity integration into all aspects of the FAA’s missions, including aviation, aerospace management, and unmanned systems. Future needs of the FAA will require a workforce with a broad range of skills to develop and apply policy, governance, and guidance. This is in addition to delivering security engineering acquisition oversight and leading systems testing and evaluation, verification, and validation.

A major technology change is under way in the networking of the NAS. Traditional private-wire services by network providers are becoming unavailable and being replaced by internet protocol (IP) connectivity. Though to some extent one can try to retain the old security architecture using virtual private networking (VPN), the trend in the computing world is toward zero trust security modeling (NSA, 2021; Rose et al., 2020). In this approach, traditional perimeter techniques such as firewalls between the internet and the intranet are written off as unreliable means of defense, even if worth retaining for whatever they can do to slow down attackers. Instead, security comes in the form of restricting data and system access based on strong authentication and authorization of people, endpoint devices, and software versions.

Authentication mechanisms are central to the zero trust security model, and because aviation is an international activity, these are best defined under International Civil Aviation Organization (ICAO) auspices. To implement an international zero trust security model, the International Aviation Trust Framework (IATF) has been established (see section 2.7.2 of Unmanned Aircraft System (UAS) Traffic Management (UTM) Concept of Operations (FAA, 2020c)).

Data integrity is essential to the mission of the NAS. It is hoped that cloud computing, big data analytics, and artificial intelligence will each contribute to better cybersecurity. Solid security hygiene of tested backup,

___________________

³² Focus group discussion with FAA employees and committee members, August 20, 2020. Focus group discussion with FAA managers and committee members, August 21, 2020.

³³ More information is available at: https://www.cxcglobal.com/weighing-benefits-drawbacks-contracting.

³⁴ More information on HHS emerging cybersecurity threats is available at: https://www.nist.gov/system/files/documents/2017/07/28/hhhs_response_to_eo_13800_wfd_rfi_07272017final.pdf.

cryptographic checksums, least privilege access control, and data provenance tracking provide a foundation for maintaining data integrity. There are also differing data security approaches in traditional aviation safety versus novel UTM operations that will need to be bridged as drones enter controlled airspace.

It should be noted that dramatic changes in the FAA cyber landscape would likely occur in the wake of an attack on National Security Agency systems by skilled adversaries. In the committee’s judgement, and if the experience of other organizations is any guide, this sort of attack would drive large changes in cybersecurity workforce and practices. While important, such an event and the consequent changes are outside the scope of this report.

Finding 2-8: Modernization of the NAS relies on increasingly digitized and connected infrastructure. This increases the attack surface for the NAS and poses new cybersecurity threats to aircraft and other connected systems.

SUMMARY

The FAA has made advances to improve its cybersecurity workforce by following the NICE Framework to utilize similar positions as other agencies. The organization still has to make strides in various areas of recruitment and retention to diversify the cybersecurity workforce while having a workforce with a low turnover. Some of this can be done with improved use of internships and direct hire authority, as described in Chapter 3.

Conclusions and Recommendations

With a growing reliance on digital communications, the cyber landscape of the FAA is continuously evolving in order to safeguard its critical function of ensuring safe air travel. Accordingly, the future FAA cybersecurity workforce will need to adapt in order to simultaneously support traditional enterprise infrastructure and security operation center needs, as well as provide subject matter expertise and program oversight of cybersecurity integration into all aspects of FAA’s missions.

It is important to recognize the cybersecurity labor market is not only tight today—that is, demand far exceeds supply—but highly dynamic and expected to get much tighter in the future. Furthermore, while historically the FAA’s high employee retention rate in cybersecurity has helped it maintain the needed workforce capacity and capability, in the event of widespread retirement, the FAA will likely find it very challenging to restore/rebuild its workforce given its current challenges with recruitment.

CONCLUSION 2-1: The cybersecurity labor market is not only tight today, but highly dynamic and expected to get much tighter in the future.

CONCLUSION 2-2: The cyber landscape of the Federal Aviation Administration (FAA) is continuously evolving. Accordingly, the future FAA cybersecurity workforce will need to adapt in order to simultaneously support traditional enterprise infrastructure and security operation center needs, as well as provide subject matter expertise and program oversight of cybersecurity integration into all aspects of FAA’s missions.

RECOMMENDATION 2-1: The cybersecurity workforce within the Federal Aviation Administration (FAA) is generally satisfied and dedicated to the agency’s mission. The FAA’s high employee retention rate in cybersecurity has helped it maintain the needed workforce capacity and capability, but with a growing proportion of the cybersecurity workforce of the FAA reaching retirement eligibility, the agency is vulnerable to losing a significant portion of its cybersecurity workforce to retirement. However, in the event of widespread retirement, the FAA will likely find it very challenging to restore/rebuild its workforce given its current challenges with recruitment. And thus, the FAA should implement cybersecurity workforce planning strategies that will protect the agency against the potential for sudden and mass retirements.

RECOMMENDATION 2-2: Workforce diversity also strengthens the performance of cybersecurity efforts. The Federal Aviation Administration should expand recruitment efforts to include potential hires from different science, technology, engineering, and mathematics backgrounds and careers.