With an estimated 700,000 open cybersecurity positions, investing in cyber talent and education is critical to U.S. national and economic security. These shortfalls prompted the National Cyber Director to begin creating a National Cyber Workforce and Education strategy in the summer of 2022 to improve cyber talent and education. Given that education and training at the postsecondary level will feature prominently in any such strategy, understanding how effective current programs are will help policymakers make informed decisions moving forward.
This data brief focuses on one such program, the National Centers of Academic Excellence in Cybersecurity (NCAE-C). The NCAE-C program has operated for more than two decades out of a program office housed within the National Cryptologic University. It is a consortium of 365 institutions with cyber or cyber-related degrees or certification programs that meet high federal standards, sponsor cyber education initiatives, and engage in faculty professional development. For this analysis, we focus on nondegree awards (e.g., certificates), associate’s degrees, and bachelor’s degrees, as these comprise the main pipelines for cyber talent coming from institutions of higher education.
Our main goal was to determine whether NCAE-C-designated institutions are graduating cyber talent at a higher rate than schools without the designation. The NCAE-C program has grown significantly in scope and scale since its inception, but little data is available on its effectiveness. Using completions data from the Department of Education’s Integrated Postsecondary Education Data System (IPEDS) on students who have completed a program in a cybersecurity-related field of study, we find that:
- Institutions with the NCAE-C designation produced an outsized number of cyber and cyber-related graduates relative to non-NCAE-C institutions. Across all subjects, NCAE-C institutions granted only 40 percent of all bachelor’s degrees and 24 percent of associate’s degrees in 2020. But in cyber fields, NCAE-C institutions graduated 50 percent of all bachelor’s degrees, 32 percent of all associate’s degrees, and 19 percent of all nondegree credentials.
- NCAE-C institutions have shown rapid growth in completions in cyber- related fields, far outpacing non-NCAE-C institutions. While the number of cyber-related associate’s degrees awarded at non-NCAE-C schools decreased between 2010 and 2020, degrees in these fields at NCAE-C schools doubled in that same time. Furthermore, the number of cyber-related bachelor’s degrees granted per year by NCAE-C schools has more than tripled.
- NCAE-C institutions accounted for a higher percentage of cybersecurity bachelor’s degrees than non-NCAE-C institutions in many states. For example, NCAE-C schools in South Dakota awarded 50 percent of cybersecurity bachelor’s degrees in the state from 2010 to 2020, despite only awarding 5 percent of all bachelor’s degrees over the same time period.
- Despite some improvements over the past decade, women are still underrepresented in cyber-related programs. Similar to broader trends observed in other STEM fields, women are underrepresented in the NCAE-C community. While women’s share of earned, cyber-related bachelor’s degrees has risen over the last decade, the fact that it remains at less than 20 percent is emblematic of a pervasive gender imbalance across all award types.
- The NCAE-C program and its designated institutions do more than just graduate cyber talent. Standout institutions such as Dakota State University, Pittsburgh Technical College, and Capitol Technology University, as well as the schools that run the five CAE national centers, collaborate with and bolster the NCAE-C community and outside partners in many forms. Through these networks, institutions receive access to networks of employers, professional development for faculty, new potential funding streams, and a nationally- recognized designation.
In spite of the promise it shows for growing the cyber workforce, the NCAE-C program is not yet authorized in law or regularly funded by Congress. The lack of congressional authorization, consistent funding, and mandates that often accompany newly appropriated funds make strategic planning difficult for program administrators. Their success in training cybersecurity talent and building out pipelines across the country justifies more regular funding. To this point, Congress should officially authorize the NCAE-C program as an official National Security Agency (NSA) program of record and appropriate yearly funds.