New Bipartisan Bill Targets the 500,000-Job Cybersecurity Gap With Apprenticeship Funding

The United States has more than 500,000 unfilled cybersecurity jobs. That number has been climbing for years, and the usual prescriptions—university degree programs, corporate training budgets, awareness campaigns—haven't bent the curve. A bipartisan group of lawmakers is now trying a different approach: registered apprenticeships, funded at the federal level.

The Cyber Ready Workforce Act, introduced this week by Representatives Susie Lee (D-NV) and Brian Fitzpatrick (R-PA) in the House, with companion legislation from Senators Jacky Rosen (D-NV) and Marsha Blackburn (R-TN) in the Senate, would direct the U.S. Department of Labor to establish a grant program specifically for cybersecurity apprenticeship initiatives. The bill targets community colleges, workforce development boards, and industry partnerships that can create structured earn-while-you-learn pathways into security careers.

Why Apprenticeships, and Why Now

The cybersecurity workforce crisis isn't new, but its intersection with industrial systems is intensifying. As manufacturing floors, energy grids, water treatment plants, and logistics networks become more connected, the attack surface expands—and the defenders haven't kept pace. The operational technology (OT) security sector faces an even more acute talent shortage than enterprise IT security, because OT roles require hybrid skills that span both information technology and industrial engineering.

Traditional four-year degree programs haven't produced graduates fast enough, and many lack the hands-on OT component that employers need. Apprenticeship models, by contrast, embed trainees directly in working environments where they learn on live systems alongside experienced practitioners. Germany and the UK have long used apprenticeship frameworks to build skilled technical workforces; the U.S. has been slower to adopt the model for cybersecurity.

The bill's sponsors argue that the grant mechanism will lower the financial barrier for employers—particularly small and mid-sized manufacturers—that want to develop in-house security talent but can't afford to build training programs from scratch.

The OT Security Angle

The legislation arrives as the broader policy landscape around industrial cybersecurity is tightening. CMMC 2.0 requirements are now in full effect for defense contractors. NIST is actively expanding its NICE Workforce Framework to include dedicated OT security competencies and an emerging AI Security Competency Area. The Pentagon is reviewing its own cyber workforce strategy under pressure from a separate Senate bill, with the Department of Defense trying to align over 225,000 cyber-related positions to standardized role codes.

Meanwhile, the threat environment keeps escalating. PwC's 2026 Annual Threat Dynamics report documented a surge in identity-based attacks, with AI tools lowering the barrier for adversaries to craft convincing phishing campaigns and automate reconnaissance against industrial targets. For organizations running legacy SCADA and ICS systems—which describes a large share of U.S. critical infrastructure—the gap between attacker capability and defender readiness is widening.

Will Grants Move the Needle?

Skeptics will note that federal workforce programs have a mixed track record, and that cybersecurity apprenticeships face real structural challenges: security clearance requirements for some roles, liability concerns around giving trainees access to production systems, and the difficulty of standardizing curricula across a rapidly evolving field.

But the bipartisan support is notable in a polarized Congress, and the emphasis on registered apprenticeships—which carry DOL-recognized credential standards—adds a layer of quality assurance that earlier, looser workforce initiatives lacked. If the bill advances, it could create a pipeline of OT-literate security professionals that the industrial sector desperately needs.

The half-million-job gap won't close overnight. But policymakers are at least beginning to treat it as the infrastructure problem it is, rather than simply a hiring problem for individual companies to solve on their own.