New Act Targets Workers Over 40, Veterans, and Minorities to Fill Cybersecurity Jobs with $20M Annual Fund

The “Expanding Cybersecurity Workforce Act of 2025” is straightforward: it sets up a new program within the Cybersecurity and Infrastructure Security Agency (CISA) specifically designed to recruit and train people from historically underrepresented groups into the high-demand field of cybersecurity. This isn’t a small pilot program; the bill authorizes $20 million annually from Fiscal Year 2026 through 2031 to make this happen.

Who Gets the Training? The Big List of Targets

CISA is being directed to cast a very wide net, focusing its recruitment efforts on several key demographics often overlooked in tech hiring. This includes older individuals (defined as age 40 or older at program entry), women, veterans, and those who were formerly incarcerated. The bill also explicitly targets racial and ethnic minorities, people with disabilities, and low-income individuals. If you’re someone who got your degree through a community college, a trade school, or one of the many minority-serving institutions (like HBCUs or Tribal Colleges), you’re also a focus.

Think about what this means on the ground: If you’re a construction foreman in your late 40s looking for a less physically demanding career, or a veteran whose military experience gives you a leg up in high-stress, technical environments, this program is designed to create a clear, funded pathway for you. The goal is to move past the idea that a four-year degree from a top university is the only way into cybersecurity.

Tailored Outreach and Local Impact

CISA has 180 days to launch this initiative, and a major part of the job is outreach. The agency must actively promote the program to unions, local chambers of commerce, state workforce development offices, and even parents of K-12 students. This is smart because it recognizes that to reach people, the message can’t just live on a government website—it has to be pushed out through the organizations people already trust and interact with.

Crucially, the Director is required to tailor the program to the “unique needs of each region and sector across the United States.” This suggests that a program focusing on securing agricultural technology in rural Iowa might look very different from one focusing on financial technology security in New York City. While this regional flexibility is necessary to make the program effective, it also gives CISA significant power to decide where and how the $20 million is spent, which will require close attention to ensure fairness across the country.

Keeping Score: Congressional Oversight

To ensure this program is actually moving the needle, the bill mandates that CISA report annually to Congress starting one year after enactment. These reports must detail the program’s efficacy and its impact on the general characteristics of the U.S. cyber workforce. For the average person, this means there’s a built-in mechanism to check if the government is hitting its targets for diversity and training, and if the money is translating into real jobs for real people. It puts CISA on the hook to prove that targeting these specific communities is successfully addressing the national shortage of cybersecurity talent.