Join War on the Rocks and gain access to content trusted by policymakers, military leaders, and strategic thinkers worldwide.
The Department of Defense does not primarily have a cyber recruiting problem — it has a cyber talent management problem. The military already possesses serious qualification frameworks, scholarship programs, credentialing systems, and selection tools. What it still lacks is a system tying assessment, training, assignment, performance, and retention together across an entire cyber career.
In March 2026, the department announced at its Cyber Workforce Summit 2.0 an effort to reinvent the cyber workforce. Called Cyber Command 2.0, this effort’s principal goal is improvement in talent management by focusing on identifying, recruiting, hiring, and retaining the right people. The effort also emphasizes the need to manage career-long expertise through flexible and responsive training pipelines and flexible career paths. Such flexibility is needed to accommodate multiple pathways to qualification — through a combination of education, coursework, experience, and assessment.
I spent 20 years in the U.S. Navy as an aerospace experimental psychologist, designing workforce development, competency assessment, and personnel selection systems. I also served as the chief of staff for the Advanced Distributed Learning Initiative, which fielded systems modeling defense learner, job, and competency requirements at scale. The Department of Defense has been trying to solve these problems for as long as I have been working on them. What makes Cyber Command 2.0’s ambitions so difficult is not an absence of good ideas, but an issue of structural barriers in connecting these ideas into a single functioning system.
I now work in the private sector at IntelliGenesis, so I have a commercial interest in how the department answers these questions. I want to be transparent about that. But these are problems I have worked on and cared about for my entire career. What follows reflects that full span of commitment, not just my current role.
Some cyber training pipelines run close to two years. When a candidate washes out late or leaves for a better offer as soon as an obligation ends, the seat and training investment are gone, and the organization starts over. At the time of writing, the systems the armed services use to determine a candidate’s qualifications, credentials, and potential assignments remain extremely rigid and slow to change — wholly unsuited for this talent management challenge. The Cyber Command 2.0 initiative recognizes that the required knowledge, available training resources, job tasks (and jobs themselves), are evolving on a scale measured in months rather than decades.
The Defense Department has a well-defined and efficient selection testing apparatus already in place via the Defense Advisory Committee on Military Personnel Testing, managing personnel selection systems, procedures, and policy across the services. The department’s general entrance exam was built to predict broad academic and occupational success across the military. The exam measures verbal, spatial, mathematical, and science and technical aptitudes. While useful, it is much broader than the question of who will excel in cyber defense, intelligence, or effects, as well as software development and highly technical maintenance roles. Cyber work demands different blends of reasoning, learning speed, persistence, pattern recognition, and comfort with ambiguity. It also rewards people differently over time. Someone who can get through an initial schoolhouse may still be a poor fit for a specific specialty. Someone else may look ordinary on the front end and become exceptional once given the right kind of work.
This is why better specialty screening and placement matter. Government and private sector purpose-built tests and local selection tools have existed for years, and they do solve part of the problem. But those tools remain unevenly implemented and disproportionately available across organizations, and even the best entry assessment solves only one facet of the issue: helping identify likely potential for early performance.
Deputy Chief Information Officer for Resources and Analysis Christine Codon has undertaken timely efforts to build more tailored, effective personnel screening tools. This is important for talent onboarding in the cyber communities due to the speed at which these job requirements may be evolving, and the scale and timeline of the Defense Department’s hiring needs. Large-scale personnel selection tool validation — following historic industry guidelines and private sector legal requirements — typically takes years, which the department simply does not have.
But the best selection systems in the world cannot by themselves tell leaders how to assign a new operator, when to reclassify someone, how to sequence training for the best return, or what incentives will keep top performers from walking away. The most important question is no longer how we identify cyber talent and experience, but rather how the Defense Department shepherds that talent after its onboarding. Treating assessment as the most important component ignores the much larger management challenge following accession.
The Defense Department has done real work here. Its 2023 cyber workforce qualification manual sets department-wide timelines for qualification. The department’s cyber workforce framework now describes the field through seven workforce elements and over 70 distinct roles. The chief information officer has also supported a scholarship pipeline through the Cyber Service Academy, as well as career broadening through industry rotation and exchange programs. The broader governance model shares responsibility and accountability via roles across the services, the joint staff, military departments, and component heads.
These efforts deserve credit, but do not add up to a true talent management architecture. The qualification policy itself recognizes that this challenge crosses organizational boundaries and requires upgraded personnel systems. The framework provides a common language for work roles, and the qualification matrices provide a catalog of acceptable education, training, and certifications — both of which are necessary. Yet the official guidance for these matrices says the authoritative versions are still housed in Excel documents. While systems do exist for tracking Department of Defense Directive 8140 cyber workforce credentials and compliance, the effectiveness of these systems is constrained by the level of detail in the current version of the qualification program itself, as well as their lack of flexibility. We are still managing a strategic workforce through limited artifacts, rather than a living, integrated data environment.
A mature cyber talent system should allow leaders to see, in one place, how an individual’s entry characteristics, training history, demonstrated performance, work role coding, qualification status, assignment record, and retention outcomes relate to one another. The system needs to help answer practical questions that matter more than compliance checkboxes. Which screening measures predict success in which specialties? How much detail is needed in tracking skill and competency development over time, and across job families and career fields? How do we assess the fit of early career qualifications and achievements to late career opportunities? How do we capture skill and knowledge retention and atrophy in the cyber workforce? Which capabilities and qualifications are truly predictive, and which are merely easy to count?
At the aforementioned Cyber Workforce Summit 2.0, all four service chief information officers jointly called on their chain of command to build exactly this kind of enterprise-wide, integrated cyber talent management system, and Deputy Chief Information Officer Principal Director for Resources and Analyses Mark Gorak committed to pursuing it. Gorak will face tremendous obstacles. For one, responsibility for this task is fragmented by Title 10 itself (10 U.S. Code § 3013, § 5013, § 8013), which tasks the military departments separately with their own organization, training, and equipping functions. Even within services, it is still too common to see specific offices focused on accessions, schoolhouse throughput, coding billets, qualification compliance, and retention incentives, respectively. Each is doing competent work, but if the data and decisions do not connect, the Defense Department is not managing a pipeline. It is managing handoffs.
The pressure to streamline the process of recruitment, selection, accession, assignment, evaluation, retention, and management is further complicated by the question of security clearances — a near ubiquitous requirement for government cyber workforce members. The clearance pipeline can be argued to be driven almost entirely by forces outside the personnel management cycle. This makes it an entirely separate problem: There may be almost zero overlap between information that would derail a clearance — such as negative behavior, associations, or other red flags — and the skills assessment, qualifications, credentials, and education information needed to manage career progression. This means the clearance pipeline will likely remain a bottleneck for Cyber Command 2.0, and one that must be managed in sequence by separate agencies.
Predictive assessment is most valuable when it is embedded in a larger system containing meaningful performance and qualification data. The real return on investment for such psychometric tools comes when assessment results are combined with downstream evidence, including training performance, supervisor ratings, objective performance, and long-term retention. This is how an organization learns which signals matter and which ones do not.
The current policy environment makes this even more urgent. The 2023 qualification manual gave the department a phased timeline to qualify this workforce, and the framework has become more detailed and more ambitious. While a positive, it also means leaders now need a way to manage careers at scale. Some components of this system are there, but not yet integrated. A role-based framework is helpful only if it informs real assignment decisions. A qualification matrix is useful only if it more effectively places people, develops them faster, and spends training dollars more intelligently.
To make matters worse, cyber talent is not only hard to recruit but hard to keep. The private sector offers money, flexibility, technical focus, and an often cleaner path for people who wish to remain deep experts, rather than broad managers. Department leadership has built scholarship and exchange programs, which are excellent steps, but retention in a field like this cannot rest on patriotism alone — it requires visible technical career paths, better matching of people and specialties, and incentives tied to an accurately defined labor market which recognizes the salaries some of these positions can command externally.
Personnel Selection
The Defense Department appears to have wisely abandoned the idea that entry-level screening is the end of the selection problem. There are several additional changes to the personnel selection policy that would help.
Cyber talent screening at career entry could potentially be exempted from the time limit requirements placed on entrance assessments across the department. Historically, the time required to administer an ever-changing battery to over 50,000 examinees per year necessitated aggressive management of just how time-consuming that battery could become. Such a problem necessitates revisiting this constraint for cyber community assessments — additional testing time could be allocated for those either expressing an interest in cyber career testing, or those meeting a minimum component score on the entrance exam itself.
The department could also go further in terms of post-accession and mid-career testing. It already incorporates reliance on post-training certification exams as part of its credentialing process (e.g., CompTIA Security+, AZ-900, etc.), which are designed to assess the examinee’s mastery of training just completed. That said, a mid-career applicant applying for a well-defined job whose knowledge requirements are established could certainly be given a new exam designed to predict success in that specific job. The credentialing evidence described in Directive 8140 is the best available, but it has not been empirically validated against downstream job performance.
This speaks to another critical limitation of the power of selection tests in predicting downstream performance: historically, the government’s available data on such job performance is woefully inadequate. If we cannot measure job performance, this performance becomes virtually impossible to predict. This problem has historically been created by the necessity to generate comparable job performance and career progression data consistent across large swaths of the force (e.g., fitness reports and evaluations), but the good news in the case of cyber jobs and job families is that it should be possible to create relatively stable, objective metrics for performance on many relevant tasks. The narrower the set of jobs to be predicted is, the simpler this task becomes. If jobs can be well-defined, and the performance of a significant number of their tasks can be objectively measured, it becomes much easier to predict performance within them.
Qualification Management
The lack of aforementioned predictive power for credentials does not mean they are poorly defined. It only means that, to date, we cannot provide evidence that they work as predictors. Even if they are found to be predictive, they are hardly sufficient — the department needs a better way to capture incumbent qualifications.
The 8140 qualification matrix outlines the government and private sector training, coursework, and certification requirements recognized as sufficient for qualification for specific certifications and work roles. The model assumes those work roles can be combined, in some limited quantities, to define jobs. This is a positive, as it allows stakeholders to track the evolution of competency and experience across a series of related jobs, using a static taxonomy that has been deemed sufficient at present.
The system does have considerable shortcomings: The 8140 matrix says nothing about the applicability of other certifications across career fields or job families, nor does it help translate the level of overlap between potentially related jobs in different job families. In defining how qualifications can be met, this model has no mechanism to accommodate any combination of education, experience, or certification exams. The 8140 also implicitly assumes the continued relevance and accuracy of a static list of competencies used to describe these jobs, and assumes those competencies are defined with sufficient granularity to differentiate among similar positions. The structure of the 8140 necessitates that any changes to its components will potentially require manual revision to the thousands of competency-credential-job-family relationships defined by it.
These can, and should, be addressed. Under the Defense Human Resources Activity, the Advanced Distributed Learning Initiative provided guidance and oversight regarding a series of Institute of Electrical and Electronics Engineers standards that outlined how human performance (9274.1), learner records (P2997), competency definitions (1484.20.3), and learning metadata (2881) need to be defined and captured to enable a total learning architecture. These standards remain current, as do the repositories and source code used to develop the organization’s reference implementations (i.e., working versions) that are hosted at Impact Level 4. These tools used graph systems to link learner, training, and job information at scale using a zero-trust architecture. This system, or one structured according to the same requirements, can accommodate cascading changes to relationships among elements in the competency-job graphs if one of the elements in the graph is changed. In other words, if one competency data element is modified — say if its definition is updated, or it is split into two different competencies — everything connected to it will update automatically. Most, if not all, of the shortcomings listed in the previous paragraph could be mitigated through the implementation of a learning architecture model of the 8140 system. This should be implemented as an enterprise data layer for cyber workforce decisions.
Not another workbook. Not another static repository. Even a live connection of the static elements of the current system would be insufficient. An enterprise data layer built according to learning architecture requirements as an expansion of the existing 8140 framework, would do a great many things. It would measure job requirements with far more accuracy, and would accommodate partial matches across jobs, work roles, and certifications. Most importantly, with a zero-trust structure, it could accommodate the inevitable changes and updates to all of the competency and job data the Defense Department defines today as “current.” This model has existed for seven years, and it’s considered sufficient as of this writing. How will it look five years from now?
Leaders of the cyber workforce should be able to trace the relationships among selection inputs, qualification timelines, role assignments, and performance predictions across the full life cycle of a cyber professional. Until this is possible, senior officials will continue to make strategic workforce decisions with partial visibility.
The system described here would propel the Defense Department toward better capture of applicant/incumbent capabilities, competencies, and job requirements. This will, in turn, enable better candidate matching, intentional career design, and faster course correction for unsuitable matches — a mediocre fit wastes scarce talent, while a strong fit develops it.
Finally, the department should judge success by operational and workforce outcomes, not by compliance optics (the stated goal of Cyber Command 2.0). The right measures are not just how many people hold a qualification on paper, but whether the department is reducing washout, shortening time to effective contribution, improving placement quality, retaining top performers longer, and building depth within the specialties that matter most.
The Department of Defense does not need to start from scratch on cyber workforce reform — it already has serious people, solid frameworks, and useful programs in motion. However, it must recognize that personnel screening, assignment, credentialing, job requirements definition, and performance prediction are all part of the same problem. They cannot be tackled separately.
Henry Phillips, PhD, is director of strategic growth for research and development at IntelliGenesis and a retired United States Navy commander. A naval aerospace experimental psychologist with a doctorate in industrial-organizational psychology, he has designed and fielded assessment tools used by thousands of military applicants per year. His areas of expertise include selection, assessment, workforce policy, training systems acquisition, and personnel placement. He also served as the chief of staff for the Advanced Distributed Learning Initiative. The views expressed here are his own.
**Please note, as a matter of house style, War on the Rocks will not use a different name for the U.S. Department of Defense until and unless the name is changed by statute by the U.S. Congress.
Image: Maj. Christopher Vasquez via Wikimedia Commons
