CISA opens registration for fifth annual President’s Cup cybersecurity competition for US federal workforce

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has opened registrations for its fifth annual President’s Cup cybersecurity competition this month. Registration runs Jan. 3 to 23 for the Teams Competition and Jan. 3 – Feb. 6 for the Individuals Competition. Participants can compete as an individual, on a team of up to five members, or both. Teams can be made of individuals from one or more departments or agencies.

Participation in the President’s Cup is limited to employees of the U.S. federal government, and they must register using a ‘.gov/.mil’ email address. This includes federal employees and uniformed service personnel from federal civilian agencies, Department of Defense active-duty military personnel, civilians, and those serving in a drilling reserve capacity in the Armed Forces Reserves or National Guard. The current job function does not need to be focused on cybersecurity. However, government contractors are not permitted to participate. 

The President’s Cup is the only cybersecurity competition for employees from across the U.S. federal workforce. Each year, federal cybersecurity practitioners can represent their Department and Agency to prove they are the best. Established in response to Executive Order 13870, the President’s Cup Cybersecurity Competition is a national cyber competition aiming to identify, recognize, and reward the best cybersecurity talent in the federal executive workforce. 

Participants are tested in a range of challenges following the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, including cyber defense, cyber exploitation, forensics, and more. The NICE framework is the foundation for increasing the size and capability of the U.S. cyber workforce. It provides a common definition of cybersecurity, a comprehensive list of cybersecurity tasks, and the knowledge, skills, and abilities required to perform those tasks.

The President’s Cup has three rounds between January and April. The first two will take place virtually and participants only need internet access and a web browser to compete. The Finals will be held in person at CISA’s Arlington, Virginia facility, from April 15 to 18, depending on conditions. Agencies will be responsible for the travel of their personnel if they qualify. The White House Awards Ceremony will occur the week of May 13, 2024.    

Round 1 is open to the entire federal workforce, and Round 2 is to individuals with the Top 100 scores from each track and Teams with the top 33 percent of scores from Round 1. The Finals will include the top 10 individuals from each track and the top five teams from Round 2. 

All President’s Cup finalists must attend the Finals in person at CISA’s facility in Arlington, Virginia to participate, the agency said.  Upon receiving notification that they have qualified for the Finals; competitors must notify the President’s Cup team whether they will or will not attend. Individuals must respond by Mar. 8, while team members get a bit longer to respond by Mar. 22. 

If finalists are unable to attend, the next highest qualifying individual or team will be invited, CISA said. Also, entire teams will not be disqualified from participating in the Finals as long as at least two members attend. 

In the first two rounds, participants have eight days to start their timers and complete as many challenges as possible, CISA said. The timer starts when the first challenge is launched and cannot be paused. Participants have limited time to compete before the timer stops for individuals at four hours, and teams at six hours. 

This year’s event challenges have been mapped to Tasks and Work Roles from the NICE Framework, and categories listed in Executive Order 13870. For the individual competition, there are two tracks available, and individuals can choose to participate in one or both tracks based on their interests. For the teams’ competition, the President’s Cup team competition will consist of tasks drawn from the listed eight in-demand NICE framework roles.

All that is needed for the first two qualifying rounds is an up-to-date web browser and a registered account. Supported browsers are Chrome, Firefox, and Edge. The required tools to solve a challenge will be included in the challenge environment. Internet connectivity is removed to keep the integrity of the competition and ensure there is a level playing field for all participants. Mirrors of standard application repositories (Apt and Pip) are provided for use inside of the challenge environment to install additional tools on the provided virtual machines.

There is no carryover of score from one round to the next, as each round starts at zero. In the event of a tiebreaker, the ‘Cumulative Time’ figure will be used to determine who moves on to the Final Round. The Cumulative Time is the total time spent in challenges successfully solved. This is calculated using a timer specific to each challenge on the game board. When a player starts a challenge, the timer starts. When the player solves a challenge, the score and cumulative time are updated.

Back in November, CISA provided a sneak peek into the launch of a new way for organizations to understand their cyber risk and receive targeted, straightforward guidance built around the agency’s Cybersecurity Performance Goals (CPGs). Set to debut in early 2024, the new tool called ReadySetCyber will simplify the process of incorporating cybersecurity into an organization’s business decisions, regardless of the level of expertise or the number of personnel on staff.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.