Insider threat

Homeland Security's Cyber Talent Management System (CTMS)

Kurt Ellzey
November 9, 2021 by
Kurt Ellzey

With information security being a worldwide issue, it should come as no surprise that the number of open positions for qualified people is staggeringly high. Unfortunately, the standard procedure for getting your foot in the door for a government position is extensive and time-consuming, which is a major problem when the immediate compensation package may be lower than the private sector. At the same time, the responsibilities list is just as extensive. Enter the Department of Homeland Security's Cyber Talent Management System (CTMS).

What is the Cyber Talent Management System?

While most U.S. government employees work on the general schedule (GS) track, which determines compensation across various levels and locations, the CTMS is designed to work more like a traditional private-sector compensation package. Indeed, according to their interim ruleset posted here, under the standard rules, the DHS acknowledges that they cannot compete with the private sector regarding relatively common practices such as signing bonuses and faster than annual raises.

The CTMS, therefore, is designed to revolve around short-duration projects. Persons would be directly hired into the DHS for a particular objective, and depending on their performance, they may receive additional compensation before moving on to another objective. There are also options available for what is called a "continuing appointment," essentially a permanent position. The CTMS also acknowledges that people may want to pop in and out of public service for one reason or another and therefore does not penalize them as such.

The overall objective for this new structure is to emphasize the quality of work rather than just the amount of time put in. Anyone who has worked in IT can understand what it is like to work long hours or unusual shifts because things have to be worked on when they are not in use. In the case of high profile, time-sensitive or vitally important projects, the crunch factor can be extreme. Thus organizations as a whole would want to compensate their employees for going beyond what is strictly required. CTMS attempts to bring this in as well with bonuses of paid time off or additional monetary compensation.

While monetary compensation will max out at a particular cap under most circumstances, the DHS mentions that individual employees may surpass this in very specific situations. As for what that compensation cap is, the documents show that at least for 2021, it would be the same as the current salary of the vice-president ($255,800). In theory, it should be comparable to a similar position in the private sector. However, this will be under continual review as to the current market valuation of the skills they are looking for.

The probationary period for people in the DHS Cybersecurity Service (DHS-CS) is also extended, from a single year on the GS track to three years as part of CTMS. However, the catch to all this is that, in return, persons hired in such a way do not possess the same levels of absolute job security as more traditional or permanent employees. As a result, only new employees will be brought into this structure for information security. Existing employees are welcome to apply, but they will not be converted over automatically.

Will it work?

The DHS has been working on this system since they received the go-ahead from Congress in 2014. Since that time, the Department of Defense also received its version of the authorization in 2015. They have been successfully using a direct-hire model since 2019, and overall they have been optimistic about the changes. Initial hiring under CTMS will start with the Cybersecurity and Infrastructure Security Agency (CISA) and the DHS's chief information officer's office. As the scope of CTMS expands out, however, additional positions will be opening up with other agencies that operate as part of the DHS.

As for whether or not the changes will be enough to sway new or experienced information security professionals from working in the private sector, that remains to be seen as CTMS goes live. What we do know, however, is that this is trying to shake up the general attitude when it comes to public service positions. It is a good, long-term, well-paying job, but you will get more in the private sector. We have seen some aspects of this over the years as various government employees move into high profile positions either with established companies or, in some cases, starting their own.

We know that people to fill these positions are desperately needed across the board, and if the DHS plans to win them over, they are going to have to make it worth their time and energy. This is especially important if they want people to push hard for key projects. Quality over quantity, as we mentioned above.

How will the CTMS help?

The CTMS on paper sounds extremely promising in its goal to blend the best of both public and private sector employment in a field where the right person can make a massive difference. Their emphasis on "mission impact" driving compensation would certainly be lucrative for people that want to do their part and show what they can do. This will be worth keeping an eye on for the near future, especially if this continues moving across additional government departments and agencies. If you are interested in applying for DHS-CS positions under CTMS, additional information and links to contact a recruiter can be found on the DHS's website here



Statement from Secretary Mayorkas on the Cyber Talent Management System, DHS

DHS details how it’ll recruit, pay and promote new hires under cyber talent management system, Federal News Network

Pentagon now using direct-hire authorities for a third of its cyber workforce, Federal News Network

DHS Cybersecurity Service, DHS

Cybersecurity Talent Management System, Federal Register

Kurt Ellzey
Kurt Ellzey

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled "Security 3.0" which is currently available on Amazon and other retailers.