On Wednesday, the Deputy Secretary of Defense issued a memo that clarifies how the Department of Defense (DoD) will implement President Trump’s executive order to freeze all civilian hiring across all departments and agencies.
The operative language from the EO states that “no vacant positions existing at noon at January 22, 2017, may be filled and no new positions may be created, except in limited circumstances.” The most significant exceptions are that the order does not apply to military personnel, and that heads of executive departments can still fill or create a position to fulfill national security and public safety responsibilities. Nor does this order apply to Schedule C or Senate-confirmed appointments; the freeze squarely applies to the permanent civil service.
Deputy Secretary Robert Work’s implementation memo informs the Department of Defense of some broad categories that the Secretary of Defense has determined meet the national security and public safety exemption (more on this later). It also delegates the authority to decide whether a particular position meets this criteria to the primary DoD components (the military departments, etc.). And it stresses that these decision-makers should be prepared to justify their decisions to the Deputy Secretary himself.
If you are a manager with responsibilities involving cybersecurity, you may be in luck: the implementation memo exempts “positions required for cybersecurity and cyberspace operations or planning.” Indeed, this is the second category to be listed, right after executing and planning contingency missions and the like. A fourth category exempts “positions required for execution of the cyber and intelligence lifecycle operations, planning, or support thereof.” Clearly, cybersecurity was foremost on the minds of DoD leadership when determining the Department’s priorities.
A few issues stand out to us here specifically with respect to information security and cyber.
The freeze came at a difficult time for the Defense Department (though many other agencies, more strapped for skilled technical personnel, won’t be shedding any tears). Congress recently authorized DoD to build an “excepted service” cyber civilian personnel system—meaning the Department could fill its vacant cyber positions without adhering to the cumbersome federal hiring and management process overseen by the Office of Personnel Management (OPM). DoD expected to place at least 3,000 personnel within this excepted service system, which would have included people in U.S. Cyber Command and the Defense Information Systems Agency and was planning to make its first new hires in the fall. A freeze would have killed the momentum for this new excepted service system right as it is getting off the ground.
Perhaps most critically, a total hiring freeze would likely have impacted DoD’s efforts to build the National Background Investigation Bureau, the new organization created to process security clearances after the OPM data breach. That office will be a component of OPM, but DoD was charged with building and securing its IT systems. A total freeze also would have impacted U.S. Cyber Command at a precarious moment. As we discussed in an earlier post, Congress recently directed that Cyber Command be “elevated” to a unified combatant command and gave the command sweeping new authorities. While military personnel were safe from Trump’s hiring freeze, civilian personnel provide the continuity and administrative backbone of combatant commands, and in the case of cyber operations, civilians often have the deep technical expertise on which the military relies. The freeze would have undoubtedly set back Cyber Command’s evolution.
But even though this latest directive from DoD will provide these organizations with some relief, the order will still have a chilling effect on workforce plans. The memo instructs officials to apply the exemptions narrowly and may require officials to justify exemptions on a position-by-position basis. The guidance requires biweekly reports and metrics on their use of the exemption. The administrivia alone will likely deter overzealous interpretations of the exemption.
It is also unclear how broadly across the Department the exemptions will be interpreted. DoD and the rest of the government have had trouble defining what “the cyber” truly encompasses. While the personnel directly supporting U.S. Cyber Command and military cyber operations clearly would be within the exemption, there is a far larger workforce responsible for day-to-day monitoring of networks, residing in each and every component of the Department.
The broader question is whether civilian agencies with missions less directly tied to national security or public safety will be able to secure the same exemptions. In our opinion, the security of any federal entity—especially its information security—should be considered a national security and/or public safety matter. Is the security of networks at the Department of the Interior a national security matter? Two years ago, many may have said ‘no.’ But then a shared services data center at Interior was hacked, and attackers used this foothold to pivot into OPM networks. The rest is history. We think a case can and should be made to exempt all information security personnel across the board from a hiring freeze. The question is whether departments and agencies will make that case. According to the acting director of the Office of Personnel Management, testifying before Congress on Thursday, no other agencies have tried.