You know that gnawing feeling when somebody is wrong on the internet. Sitting in the cockpit of my sailboat with an amber beverage ruined by two cubes of ice. Sitting there pondering the definitional nihilism of crackpot bureaucrats creating the same policy since I was a teenager and calling it new means I will need another drink.
Pour the second one slowly. This is going to take a while, and I am going to need both hands free to gesture toward the horizon, because what I am about to walk you through is thirty-five years of federal cyber workforce policy, doing the same wrong thing on a treadmill. The thing started before some of the people currently writing the policy were born. It will continue after I run out of bourbon and you run out of patience, because the treadmill is the apparatus and the apparatus is the treadmill, and nobody inside it can see the walls of the room they are pacing. The walls are made of slide decks, and the slide decks are the walls.
Let me start where it actually starts, which is not where the apparatus thinks it starts. The apparatus thinks the field started somewhere around the time Bill Clinton was learning to send email. The apparatus is wrong. The field started in February 1970 in a RAND conference room with a man named Willis Ware.
Ware chaired the Defense Science Board Task Force on Computer Security. RAND published the result as R-609-1, Security Controls for Computer Systems. The thing was classified at the time. It got declassified in October 1979. Inside the building, it was the document. Ware named the threats. Multilevel security. Need to know. The insider problem. Hardware trust. Remote terminal exposure. Time sharing as an attack surface. He did all of this in 1970. The federal procurement system was still buying mainframes the size of refrigerators, and most of the country thought computer security meant locking the door to the computer room. Ware was already thinking about adversaries reading your data through terminals on the other side of the building.
Two years later, October 1972, James Anderson writes Computer Security Technology Planning Study for the Air Force. Technical report ESD-TR-73-51. The Anderson Report. Anderson invents the reference monitor. Every access control system written in the fifty-four years since stands on what Anderson said in that report whether the author knows it or not. Most do not know it. The reference monitor has been internalized so completely that working engineers use it without recognizing the lineage. That is how you can tell it was a good idea. Good ideas become invisible. Bad ideas need a marketing budget.
Between 1973 and 1976, David Bell and Leonard LaPadula at MITRE put security on a mathematical foundation. The Bell LaPadula model. You can read the proofs. You can verify them. The model has limits and the limits got argued out in the literature for the next two decades, which is how a real discipline works. The work invites attack. The work survives some attacks and adjusts to others. That is engineering. That is science. That is what a young field looks like when it is being raised by adults.
In 1975, Saltzer and Schroeder publish The Protection of Information in Computer Systems in the Proceedings of the IEEE. They lay out eight design principles, and in 2026, most federal cyber workforce people working full-time in the field cannot name three of them, which is a five-alarm fire nobody in the apparatus is willing to call. The principles run like this. Build the smallest mechanism you can get away with. Default to denied unless explicitly permitted. Check every access, every time, no shortcuts. Assume the adversary already has your blueprints. Require multiple keys for sensitive operations. Give every process only the privileges it absolutely needs. Do not share mechanisms between users when you can avoid it. And make the secure path the easy path or your users will route around you. Saltzer and Schroeder said all of that on the page in 1975 and the field has spent fifty years failing to internalize what they wrote.
Half a century later, those principles remain more sophisticated than anything the federal workforce apparatus has produced in fifteen years of cube expansion. They fit on a notecard. They predict the failure modes of nearly every major breach in the modern record. Equifax. SolarWinds. Colonial Pipeline. Change Healthcare. You can map the postmortem of any one of them back to a violation of one or more of those eight principles, and the violations are not subtle. The violations are the kind a sophomore class would catch if anyone was still teaching sophomore classes that took Saltzer and Schroeder seriously instead of teaching for the certification exam.
August 1983 draft. December 1985 final. DoD 5200.28-STD. The Trusted Computer System Evaluation Criteria. The Orange Book. Class D through Class A1. Formal mathematical proof required at the top tier. The Orange Book was a rigorous engineering document built by people who had read Ware and Anderson and Bell and LaPadula and Saltzer and Schroeder and figured out how to turn the conceptual work into an operational evaluation framework. It had problems. Everything has problems. The problems were the kind that academics and engineers argued about in print, which is how you can tell it was real. Real things attract criticism. Frameworks attract only compliance.
Through the late 1980s the Rainbow Series fills out around the Orange Book. Forty-plus companion volumes addressing specific aspects of trusted system evaluation. The Red Book for networks. The Trusted Database Interpretation. The Trusted Network Interpretation. A library of serious technical guidance, most of which is sitting on a shelf in a federal records archive that nobody in workforce policy has visited since the Clinton administration.
So, when John McCumber stood up in 1991 in Baltimore at the 14th National Computer Security Conference and presented a paper called Information Systems Security: A Comprehensive Model, he was not contributing to a baby field. He was contributing to a discipline that had twenty-one years of foundational engineering behind it. Mathematical models that worked. An operational evaluation framework. A body of design principles a working engineer could carry on a notecard.
McCumber’s paper was a teaching tool. He said so in print. He called it a pedagogic framework. Three axes. Information states. Security properties. Security measures. Twenty-seven cells. A chalkboard tool for a graduate seminar. A way to help a smart twenty-four-year-old grasp the shape of the field in an hour rather than a semester. That is what the paper was. That is all the paper was. The paper was good at what it was. The paper said what it was. The paper did not lie about itself.
This is the part where I need you to refill the glass because the next part is where the crime happens. The crime was not committed by McCumber. Saying that clearly matters to me because John is a friend, and I will not let a piece of writing leave my hands that puts the verb on the wrong subject.
The crime was committed by a federal apparatus that had a choice in 1994 and chose wrong, and has spent thirty-two years compounding the wrong choice with new layers of wrong while claiming each layer was an improvement.
Eight months after McCumber’s paper hit the proceedings, June 1992, the NSTISSC picked up the framework and folded it into NSTISSI 4009, the National Information Systems Security Glossary. The teaching tool was now glossary canon. Two years later, June 1994, NSTISSI 4011 dropped. The National Training Standard for Information Systems Security Professionals. The McCumber framework, frozen into regulatory cement, mapped to twenty-two topic areas, with no peer review, no academic process, no public debate. Concrete poured. Cube set. McCumber was not consulted on whether his paper was ready for that load. He had said in his own paper that it was a pedagogic framework. The apparatus did not care what McCumber said about McCumber’s paper. The apparatus needed a cage and the cube was the prettiest cage on the lot.
This is the original error and everything since flows from it.
The apparatus had a choice in 1994. They could have built the training standard on the rigorous foundation that already existed. Ware. Anderson. Bell and LaPadula. Saltzer and Schroeder. The TCSEC. The Rainbow Series. Twenty-four years of accumulated engineering with mathematical proofs you could verify, evaluation criteria you could apply, and design principles a working engineer could carry on that notecard I mentioned. The lineage was right there. Free to anyone with a library card and the patience to read it.
They picked the cube instead.
Why. Pour another finger because this is the load-bearing answer to the entire thirty-five-year question. The rigorous foundation was hard. It required real mathematics to understand Bell and LaPadula. It required real engineering judgment to apply Saltzer and Schroeder. It required real depth to build a TCSEC B1 system, let alone an A1. You could not turn that lineage into a forty-hour course with a multiple-choice exam at the end. You could not produce a workforce of ten thousand by mapping job roles to checkbox curricula. The rigorous foundation produced a small number of deeply capable practitioners. The cube could be scaled.
So, they scaled the cube. They picked administrative convenience over engineering depth and called the choice standardization. The certification industry materialized to monetize the convenience. ISC2 was founded in 1989. The CISSP was first administered in 1994, the same year NSTISSI 4011 dropped. The overlap was not coincidence. Dr. Corey Schou, who directed the National Information Assurance Training and Education Center at Idaho State, developed the training standards underlying NSTISSI 4011 and the 4012 through 4016 family. He also wrote, with Maconachy, Ragsdale, and Welch, the 2001 IEEE paper that formally extended McCumber’s model.
The first figure in that paper is labeled The Original McCumber Model. ISC2’s own published attribution credits Schou with development of the Common Body of Knowledge and awarded him the Tipton Award in 2001 for that work. He later became Vice Chairperson of ISC2. The same people, working in overlapping settings, built the federal training standards and the commercial certification body of knowledge in parallel, both rooted in the taxonomic worldview that started as a pedagogic framework in McCumber’s 1991 paper. A worker who memorized that taxonomic worldview became a credentialed professional. A worker who could prove a security property using Bell and LaPadula could not get a job, because there was no certification for that.
Schou is not a villain in this story. He is a serious academic who spent his career trying to professionalize the field. That is part of what makes the capture so hard to see and harder to fix. The taxonomic worldview the apparatus inherited from McCumber’s teaching tool was carried into the federal training standards and the commercial certification body of knowledge by serious people who thought they were professionalizing the discipline. The road to the cage was paved with academic intentions, and the work of dedicated educators became the scaffolding for a credentialing regime that displaced the engineering foundations of the field.
Forty-six people earned the CISSP in its first year. By 2024 there were more than one hundred sixty-five thousand of them. The certification scaled because the taxonomic worldview scaled. Neither one ever had to demonstrate that it produced competent practitioners. It produced certificate holders, which is a different thing, and the apparatus did not notice the difference because the apparatus was the customer.
1997 hits and the diagnostic engine kicks on. The Marsh Commission, formally the President’s Commission on Critical Infrastructure Protection, names the workforce shortage as a national security problem. October 1997. From this moment forward, every cyber workforce policy document for the next twenty-nine years restates the same diagnosis. Not enough people. Need more people. Need more certifications. Need more pipeline. Twenty-nine years of restated diagnosis. The gap grows every year by every measure the apparatus uses to measure it. Nobody in the apparatus loses sleep over this. Nobody loses a job. The diagnosis is repeated with the rhythm of a Catholic rosary by people who have never asked whether the prayer is working.
August 1997. The Military Communications and Electronics Board endorses certification as the path. The fix is in. Certification is now the federally approved proxy for competence in a field whose actual foundations the apparatus has chosen to ignore. The CAE program at NSA spun up in 1998 and 1999. Universities are told that to qualify for the designation, they have to map their curricula to NSTISSI 4011. The deans line up. They take NSF Scholarship for Service money in exchange for surrendering the conceptual high ground of their own field. The capture of higher education is complete. The Ware lineage gets pushed off the syllabus to make room for a teaching tool that has been turned into a regulatory standard, and the regulatory standard now defines what the universities are allowed to teach if they want their students to get federal jobs.
I watched this happen. I was on the Purdue faculty when CERIAS was building out the academic side. We fought a version of this fight and lost most of it, because by the time the academic side had the conceptual maturity to push back, the certification industry had already built the moat. We took the designation. We took the funding. We swallowed the spec. We did not love it. We did it anyway. That is what the surrender looks like from inside, and the surrender was the universities accepting that the federal training standard would define the field’s curriculum scaffolding rather than the other way around.
The chain after that gets numbing. I am going to march it for the receipts because if you do not see the pattern in the list, you will not believe me when I name it.
June 1998. ASD/C3I and USD(P and R) joint memo on IA Training and Certification. August 1999. OSD IA and IT HR Integrated Process Team report on training, certification, and personnel management. July 14, 2000. DepSecDef memo declaring the end state of a sustained pool of skilled IA and IT professionals. That end state language survives in every subsequent strategy document. The end state never arrives. The end state will not arrive in 2030 or 2040 either, because the apparatus that wrote it is the same apparatus that ensures it cannot arrive.
May 2001. CJCSI 6510 series. October 2002. DoDD 8500.1. February 2003. DoDI 8500.2. April 2003. CJCSM 6510. August 2004. DoDD 8570.01. December 19, 2005. George Bieber stands up at OASD/NII and briefs the IA Workforce Improvement Program. DoD 8570.01-M, the operational manual, makes commercial certifications a mandatory condition of employment for thousands of federal positions. The CISSP. The CISA. Security Plus. GSEC. CAP. The certification industry has its federal mandate. The mandate is built on bodies of knowledge that are built on the cube that was built as a teaching tool in 1991. The recursion has eaten its own tail and the apparatus believes the tail is a separate animal.
January 2008. President Bush signs HSPD 23 and NSPD 54. The Comprehensive National Cybersecurity Initiative. Twelve initiatives. Workforce is one. Recommendation eight will become NICE. March 2010. NICE stands up at NIST. The 1997 diagnosis gets restated with new urgency, because by now the gap has grown rather than shrunk in the thirteen years since Marsh, and the apparatus response to a failing diagnosis is to repeat it louder. The first NICE Framework draft drops in 2011. Seven categories. Thirty-one specialty areas. That is a cube expansion. The cells multiply. The geometry stays.
Somewhere in this stretch, in a conference room at the National Defense University, a panel on cyber higher education convenes with no higher education people on it. The reason there are no higher ed people on the higher ed panel is that by 2010 the apparatus has so thoroughly captured the conversation that the deans are not seen as authorities on their own field. They are suppliers. The cube is the spec. The deans fill orders. The intellectual capital of the discipline has been transferred from the universities to the certification vendors and the personnel offices, and the universities cheered because they got grant money.
February 2013. Executive Order 13636 on improving critical infrastructure cybersecurity. Workforce diagnosis restated. February 2014. NIST Cybersecurity Framework. The cube gets renamed Framework Core. The cells multiply again. August 11, 2015. DoDD 8140.01 replaces 8570. The rebrand. IA workforce becomes cyberspace workforce. Five workforce elements. More cells. Same cube doing yoga. August 2017. NIST Special Publication 800-181. The NICE Framework gets a formal NIST imprint.
May 2, 2019. Executive Order 13870 on America’s Cybersecurity Workforce. The diagnosis gets restated. Skills-based hiring gets named. Cyber Excepted Service gets expanded as a personnel flexibility. The same memo from 1999, wearing newer shoes and a thinner tie. February 2023. DoDD 8140.03 manual. More work roles. More TKS statements. Cube expansion. July 2023. ONCD publishes the National Cyber Workforce and Education Strategy. The Biden contribution. Apprenticeships get mentioned. Community colleges get a nod. This is the first crack I can see in thirty-two years of cube doctrine, buried inside a document that still operates fundamentally inside the cube. Like a prisoner who chips a small hole in the wall and then sits down to write a strategic plan about chipping holes in walls, which is then framed and hung on the wall right next to the hole. June 2024. NCWES initial report. The remedies get restated. The diagnosis stays the same.
The pattern by now is comic. Genuinely comic. If you laid the documents out on a long table and read the executive summaries in sequence, you would notice that the apparatus is writing the same paragraph in slightly different vocabulary every three to five years. The workforce shortage is named. The cells are expanded. The certifications are reaffirmed. The pipeline is invoked. The partnerships are listed. The strategy concludes that more of the same is needed. A new acronym is born. A new framework is published. The previous framework gets renamed or absorbed. The diagnosis stays exactly the same.
Meanwhile, the gap grows. Every year. By the apparatus’s own measurements. The 1997 Marsh diagnosis estimated the shortage in the tens of thousands. By 2021, CyberSeek reported 600,000 unfilled US positions, including roughly 40,000 federal positions. By 2025, ISC2 reported a global workforce gap of 4.8 million. The graph goes up. The policy goes around.
GAO has had federal information security on the High-Risk List since 1997. GAO added strategic human capital management to the High-Risk List in 2001. GAO has specifically called out federal cyber workforce management as a recurring failure since 2003. Twenty-three consecutive years of the same finding. Read the GAO reports in sequence and you will see the same recommendations restated with mild updates to footnotes. The agencies acknowledge. The agencies plan. The agencies announce corrective actions. The next year GAO finds the same problem. The year after that, the same problem. Forever.
September 2025. GAO publishes a report finding that twenty-two of twenty-three CFO Act agencies cannot produce reliable data on the size or cost of their cybersecurity contractor workforce. Thirty-four years downstream of the cube. Twenty-eight years downstream of Marsh. Twenty-three years into being on the High-Risk List for this exact issue. The apparatus cannot count its own people. It cannot tell you how many cyber workers it has. It cannot tell you how much it spends on them. It cannot produce the inventory that any sane HR function would produce in the first week of operating.
Read that again and let the air leave the room. The agencies have spent thirty-four years writing frameworks about workforce management, and they cannot count their workforce.
This is the indictment. This is the receipt. This is the thing nobody in workforce policy is willing to say out loud, because saying it out loud requires admitting that the framework approach is not failing to produce results. The framework approach is the result. The framework approach is what we are doing. The output is the inability to count, the inability to hire, the inability to retain, the inability to develop senior talent, the unmoved gap, the worsening posture, and the same recommendations repeated every five years by people who appear to genuinely believe that the repetition is progress.
Here is the part nobody wants to write down. We have a thirty-five-year run of empirical evidence that this approach does not work. We have a twenty-three-year run of GAO findings that this approach does not work. We have measurable, audited, quantified failure across multiple administrations, multiple Congresses, multiple Secretary level signatures. The apparatus response, every time, is to write another framework, expand the cube into more cells, refresh the strategy document, add new acronyms, and convene another panel. The apparatus has tried what it is trying for thirty-five years and it is not working and the apparatus continues. The apparatus continues because the apparatus’s continuation is the only thing the apparatus is actually built to produce.
The Ware lineage is sitting on a shelf. The Anderson reference monitor is sitting on a shelf. Bell and LaPadula are sitting on a shelf. Saltzer and Schroeder are sitting on a shelf. The Orange Book is sitting on a shelf. The Rainbow Series is sitting on a shelf. The conceptual foundations of the field, the engineering rigor that actually produced working systems and verifiable proofs, has been gathering dust since 1994 because the apparatus chose convenience and called it standardization, chose certification and called it competence, chose checklists and called it workforce planning.
The fix is not another framework. The fix is not another strategy refresh. The fix is not skills-based hiring as a vocabulary item bolted onto an unchanged cube. The fix is not another pipeline program or another grant or another CAE expansion. The apparatus has tried all of those. The apparatus has tried versions of those eight to twelve times each across the thirty-five-year run. They do not work. They have never worked. They will not work in 2027 or 2030 either.
The fix is to stop.
Stop writing frameworks. Stop adding cells. Stop renaming the cube. Stop convening panels on higher education with no higher education people. Stop mandating certifications as a proxy for competence. Stop pretending the certification industry is a partner instead of a parasitic capture. Stop treating universities as feeders. Stop treating workforce as a personnel problem solvable through taxonomy. Just stop.
Read the Ware Report. Read Anderson. Read Bell and LaPadula. Read Saltzer and Schroeder. Read the Orange Book. Treat the discipline as the engineering discipline it is and was, and build the workforce on the engineering foundations the discipline actually has, with the supervised practice and the years of mentored development that every other comparably complex engineering field uses to produce competent practitioners.
The apparatus will not do this. The apparatus is incapable of doing this because doing this requires admitting that the apparatus has been wrong since 1994, that the people who built the apparatus, the people who staffed it, and the people who funded the certification industry that supports it have all been participating in a thirty-five-year-long mistake. Nobody loses a career for being right. People lose careers for admitting they were wrong. The apparatus will continue. The frameworks will continue. The gap will grow.
Willis Ware died on November 22, 2013. He was ninety-three. He wrote the founding document of the field forty-three years before he died, and by the time he died the field had stopped reading him. I cannot find a record of the workforce apparatus sending a representative to his funeral. Nobody invited him to keynote a NICE conference. There is no Ware Award. There is no Ware Chair endowed by ONCD. There is no Ware curriculum at the CAE schools. The man who founded the field is a footnote in a discipline that does not know it has a father.
John McCumber is still alive and still writing. He has spent decades trying to push the apparatus past the cube he wrote as a teaching tool. The apparatus uses his name on slides and ignores his actual published guidance. He is a casualty, not a cause. The crime was committed by people who took his chalkboard and poured concrete around it without asking him whether the chalkboard was load-bearing. If you are reading this and you know John, tell him I said his name with respect. The man wrote a useful paper. The men who weaponized it for personnel codes never asked his permission.
We just need to stop. That is the entire answer. Stop doing the thing that has not worked for thirty-five years. Read the foundations. Build the workforce on the foundations. Accept that the workforce gap is irreducible below the rate at which seniors can mentor juniors. Accept that the apparatus’s own continuation is not the same as the field’s progress. Accept that we have been driving in a circle and the way out of the circle is to stop driving.
The cube turns thirty-five this October. Nobody is throwing it a party. Nobody is taking it out behind the shed either, and that is the whole story. The framework that ate the field will outlive every one of us, because the apparatus that depends on it cannot imagine its own dissolution, and so we will keep doing the thing, and keep failing at the thing, and keep writing reports about how we are about to stop failing at the thing, until the country produces a generation of cyber professionals so depleted in actual engineering capability that the next major breach will look back at the cube and ask who let this happen.
The answer to that question is on a slide in a 2005 PowerPoint deck. The answer is in a 1994 training standard. The answer is in every executive order, every directive, every framework, every strategy refresh, every panel where the deans were not invited. The answer is us. The answer is the apparatus we built and the apparatus we kept building when we should have been reading.
Stop building. Read. Then maybe in twenty years we will have a workforce. Not before. Not faster. Not through another framework. Through reading what was already written and doing the work that was already laid out by people who knew exactly what they were doing in 1970.
The bourbon is gone. The ice is melted. The sun is past the spreaders and the cube is still standing. The cage door has been open for thirty-five years. Nobody has walked through it. Maybe we will. Probably we will not. The receipts are clean. The pattern is the pattern. The cube turns thirty-five this October.
Stop feeding it.
Prior Art
- Das Chowdhury, Partha, Mohammad Tahaei, and Awais Rashid. “Better Call Saltzer & Schroeder: A Retrospective Security Analysis of SolarWinds & Log4j.” arXiv preprint arXiv:2211.02341 (November 2022). University of Bristol Cyber Security Group. Maps the SolarWinds Orion and Log4j breaches against the Saltzer and Schroeder 1975 design principles using Incident Fault Tree analysis. Identifies fail safe defaults, economy of mechanism, complete mediation, and least privilege as the common principles violated in both incidents. Closest existing parallel to the Saltzer Schroeder paragraph in the dispatch. Strengthens the claim that the engineering foundations were sound and the modern failures track to their abandonment.
- Maconachy, W. Victor, Corey D. Schou, Daniel Ragsdale, and Don Welch. “A Model for Information Assurance: An Integrated Approach.” Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, June 2001, pages 306 to 310. Extends McCumber’s 1991 model by adding temporal dimensions and separating security services from countermeasures, in response to the field’s growth from INFOSEC to Information Assurance. Acknowledges McCumber’s original as a pedagogic framework and proposes a more mature successor. The extension was never adopted by the federal training standards apparatus. Documents that serious academics inside the field tried to update the conceptual foundation and got ignored by the regulatory regime.
- National Research Council, Committee on Professionalizing the Nation’s Cybersecurity Workforce. “Professionalizing the Nation’s Cybersecurity Workforce: Criteria for Decision Making.” Washington, DC: The National Academies Press, 2013. The National Academy of Sciences panel report that questioned whether formal certification was the right path to professionalization of the cybersecurity workforce. Notes that certification regimes risk becoming obsolete, that workers may lack incentive to update skills, and that consensus on core knowledge takes time to develop. Establishes that serious questioning of the certification model was on the public record at the highest levels of the academic establishment more than a decade ago and was effectively ignored by federal workforce policy.
- Lewis, James A., and Georgia Wood. “Cyber Workforce Strategies Should Produce at Scale.” Washington, DC: Center for Strategic and International Studies, December 8, 2025. Argues that current cyber workforce strategies cannot produce trained workers at the volume required to close the gap, with apprenticeship and pipeline programs producing hundreds to low thousands annually against a shortfall measured in hundreds of thousands. Cites the World War Two pilot training programs and the Eisenhower era National Defense Education Act as historical precedents for actually scaling a workforce in a crisis. Acknowledges that the existing federal apparatus has not produced and will not produce the needed scale through its current methods.
About the Author
