This Report on the National Security Agency (NSA) and Department of Homeland Security (DHS) Program for the National Centers of Academic Excellence (CAE) in Information Assurance (IA) and Cyber Defense (CD) is in response to section 942 of The National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2014 (Public Law 113-66).

Over the last year, the Department of Defense Chief Information Officer (DoD CIO), in coordination with NSA’s Information Assurance Directorate (IAD) and DHS’s Assistant Secretary, Cybersecurity and Communications (CS&C), assessed the processes and criteria used to develop and designate cybersecurity1 programs at institutions of higher education as CAE IA/CD.2 DoD CIO contracted a portion of the overall analysis of the CAE IA/CD program to the Institute for Defense Analyses (IDA) for an independent, objective assessment of the National CAE program (See Attachment 2). While DoD CIO does not fully support all of the findings and recommendations, the IDA independent assessment provided foundational input to the DoD Assessment, Findings and Recommendations, and Implementation Plan included in this report.

The IDA assessment and the overall DoD CIO effort involved a variety of data collection methods, including not-for-attribution interviews with representatives from academic institutions and stakeholder organizations of the CAE program, as well as feedback from CAE public-private (industry, academia and government) stakeholder engagements. These engagements included the annual Colloquium for Information Systems and Security Education in June 2014, and the National Institute for Standards and Technology (NIST)-hosted National Initiative on Cybersecurity Education (NICE) Conference/Exposition in November 2014. IDA also interviewed representatives from NSA IAD and DHS CS&C. Other sources of information incorporated into the assessment include input from Federal Agencies; research information from the review of academic papers relating to the CAE program; publicly available documents from agency websites such as DHS, DoD, and NSA; and recommendations from subject matter experts.

The DoD Assessment, Findings and Recommendations informed a new Implementation Plan, which is best represented by the “way-ahead presentation” given by CAE IA/CD Program leadership at the CAE Principals Meeting immediately preceding the November 2014 NICE Conference (see Attachment 3). The briefing identifies actions, including timelines and considerations, to position the CAE IA/CD Program to improve and evolve the mechanisms and processes for developing courseware and other criteria for the CAE IA/CD program. The briefing describes a closer alignment with the NICE Program and its management and also a more interactive engagement, better considering industry and academia input. Together, the independent IDA Assessment, and the DoD Assessment, Findings, and Recommendations, and Implementation Plan provide the required responses to the Secretary of Defense tasking in section 942 of NDAA for FY 2014.