At AFCEA International’s Cyber Workforce Summit, senior U.S. Department of War (DoW) IT leaders said what many of us in the federal IT community have known for years: the Pentagon’s approach to managing its cyber workforce is fragmented, redundant, and unsustainable.
Army CIO Leonel Garciga put it bluntly: the services are each building their own systems to track cyber roles, certifications, and qualifications under the DoW Cyber Workforce Framework (DCWF), and none of them will integrate. His diagnosis: “a waste of time.” Marine Corps IC4 Acting Director Jeffery Hurley echoed the sentiment, calling for a single enterprise solution to manage the cyber workforce “from stem to stern.” And Mark Gorak at the DoW CIO office stepped up with a commitment to lead the development of exactly that: an enterprise-wide cyber talent management system.
It’s the right call. Now comes the hard part.
Why This Matters Beyond the Workforce
The DoW 8140 policy framework exists to bring rigor and consistency to how the department qualifies and assigns its cyber personnel. The problem is that 8140 compliance tracking has been implemented service by service, producing a patchwork of disconnected solutions: some automated, some manual, none interoperable. When a cyber operator moves from an Air Force billet to a joint command, their qualifications don’t travel cleanly with them. When a program office needs to staff a cleared cyber role quickly, there’s no enterprise-level view of who’s qualified and available.
This isn’t just an HR inconvenience. It’s an operational risk.
How to Get This Right
The commitment from the DoW CIO office is a necessary first step, but the path from commitment to deployed capability is long and littered with failed enterprise IT initiatives. A few principles should guide this effort:
Anchor it to identity, not a separate system. Army CIO Garciga is right: if the department already has an identity, credential, and access management infrastructure, cyber roles and qualifications should live there. Standing up yet another standalone system creates yet another thing to maintain, secure, integrate, and eventually replace. The DCWF role catalog is well-defined enough to be modeled as attributes on an existing identity record. Start there.
Define the minimum viable data model first. Before any system is designed, the department needs agreement on what data elements are authoritative, who owns them, and how they’ll be kept current as personnel change roles. Too many enterprise systems fail because the data governance wasn’t sorted out before the architecture was built. Requirements first. Technology second.
Treat interoperability as a day-one constraint, not a future phase. The Air Force is close to having an automated certification-tracking solution. Other services have work in progress. Rather than wait for a greenfield enterprise build, the smarter near-term approach is to define the integration standard: what data must be exchanged, in what format, on what schedule, so service-level investments can be wrapped into an enterprise layer rather than thrown away.
Plan for the contractor workforce too. The cleared contractor community supports the overwhelming majority of DoW cyber operations. Any enterprise workforce management system that only tracks government civilians and military members will have a significant blind spot. Industry partners should be included in requirements discussions now.
Think beyond the Pentagon. The DoW should not be designing this system in isolation. The cyber threats facing the nation do not stop at the DoW boundary, and neither does the cyber workforce that defends against them. CISA, FBI, NSA, the intelligence community, and dozens of civilian agencies all employ cyber professionals who operate under related but disconnected qualification frameworks. The NICE Cybersecurity Workforce Framework, which underpins civilian agency cyber workforce development, shares substantial common ground with the DCWF. A whole-of-government approach: one in which DoW designs its enterprise solution with civilian agency interoperability as a stated requirement from the start: would dramatically increase the long-term return on this investment. Personnel moving between DoW and civilian agency roles would carry recognized credentials. Joint operations involving civilian and military cyber teams would benefit from shared visibility into qualifications. And the government as a whole would stop paying for the same foundational problem to be solved a dozen different ways. This conversation needs to start at the ONCD and OMB level in parallel with the DoW CIO effort, not years after the DoW system is already locked in.
Potential Pitfalls and How to Address Them
Enterprise IT initiatives at the DoW scale have a poor track record, and this effort will face predictable obstacles. Naming them now is the first step toward avoiding them.
Governance without teeth. The biggest risk is that the DoW CIO office issues guidance, the services nod along, and then each continues building its own solution. This has happened before. The fix is structural: enterprise cyber workforce management needs a designated program office with budget authority, an acquisition strategy, and clear accountability for delivery. Voluntary coordination rarely produces integrated systems.
Data quality and ownership disputes. A federated talent management system is only as good as the data feeding it. Each service will have its own authoritative sources for personnel records, certification completions, and role assignments, and those sources will not always agree. The program office needs to establish data stewardship rules early: which system of record wins in a conflict, who is responsible for updates, and what the adjudication process looks like when records diverge. Skipping this step produces a system that nobody trusts and everybody works around.
Scope creep before the foundation is stable. There will be pressure to add features: AI-driven skills gap analysis, predictive workforce modeling, integration with training platforms and learning management systems. Those capabilities may be valuable eventually, but they require clean, reliable underlying data. Pursuing them before the core qualification-tracking function is stable and trusted will delay delivery and increase cost. A phased roadmap with a narrow, well-defined initial increment is essential.
Classification boundary complexity. Cyber workforce data spans multiple classification levels. An operator may hold qualifications relevant to NIPR, SIPR, and JWICS environments. Any system that attempts to provide an enterprise view across those domains will encounter the same cross-domain data challenges that have slowed other DoW enterprise systems. The program office should engage DISA’s cross-domain solution governance early and design the data architecture with those constraints in mind from the start.
Resistance from services protecting existing investments. The Air Force has already invested significantly in its certification-tracking automation. Other services have programs in progress. Asking them to subordinate those investments to an enterprise solution will generate resistance, particularly if the enterprise option appears years away. The path forward is not to kill service-level work but to give it a migration target: define the enterprise data standard now, let services build to it, and consolidate as the enterprise platform matures.
Civilian agency alignment deferred too long. If DoW builds its enterprise system without coordinating with civilian counterparts at CISA, OPM, and ONCD, the government will face a familiar problem in five years: two well-built systems that don’t talk to each other. Interagency requirements coordination is slower and harder than intra-DoW coordination, which is exactly why it needs to start now rather than after the DoW architecture is set.
Where Industry Can Help
The DoW CIO office has asked for industry’s help getting requirements right. That’s an invitation worth taking seriously.
The federal IT industry has built, integrated, and sustained talent management platforms at scale: for civilian agencies, for the IC, and for defense customers. We understand the DCWF role taxonomy, 8140 qualification pathways, eMASS integration, and the clearance and access management infrastructure that would need to underpin any enterprise solution.
What industry should bring to the table:
- Existing architecture patterns from comparable enterprise workforce systems, including lessons learned from implementations that failed to scale
- Integration playbooks for connecting service-level systems to a federated enterprise layer without forcing a rip-and-replace
- Data governance frameworks that define authoritative sources, update cycles, and adjudication processes for conflicting records
- Security models appropriate for a system that will hold sensitive personnel data about cleared cyber operators across classification domains
- Cross-framework mapping between DCWF and NICE so that a whole-of-government solution is technically feasible rather than aspirational
At S2i2, we’ve spent years supporting federal environments where these workforce and compliance challenges play out daily. We’ve supported RMF, 8140 compliance, ISSO and ISSM programs, and enterprise IT operations for some of the Pentagon’s most complex networks. We know what it takes to keep cyber qualifications current in a real operational environment, and we know how quickly things break down when the systems supporting that effort aren’t designed for the mission.
The Bottom Line
The senior leaders at AFCEA’s Cyber Workforce Summit were right to name this problem publicly and commit to solving it at the enterprise level. The DoW cyber mission depends on having the right qualified people, in the right roles, with visible and verifiable credentials. That’s not possible without a coherent, interoperable system to manage it.
The window to get the requirements right is now: before another round of service-specific solutions gets funded and deployed, and before the DoW architecture diverges so far from civilian agency frameworks that whole-of-government integration becomes impossible. The pitfalls are known and addressable, but only if the program office is stood up with real authority, civilian agency counterparts are brought into the conversation early, and industry is engaged as a genuine partner in getting the requirements right. We’re ready to engage.
S2i2, Inc. is an SBA-certified 8(a) Small Disadvantaged Business headquartered in Oakton, Virginia, providing federal IT infrastructure, cybersecurity, and program support services to federal customers. Learn more at s2i2.com.
Source: Federal News Network: “DoW IT leaders push ‘smarter not harder’ enterprise cyber workforce system” (March 26, 2026)
