This is the first of six articles in our series from Learning Tree instructor Aaron Kraus on the NICE Cybersecurity framework and common challenges many organizations face when trying to maintain vital cybersecurity skills and resources. To further your journey, read the rest of the blog series and learn more about Aaron Kraus here.
The National Initiative for Cybersecurity Education (NICE), published by NIST in Special Publication 800-181, describes a framework which can be used to identify key workforce roles, job skills, and capabilities an organization needs to protect its information, computing systems, and overall operations. Due to the rapidly evolving nature of this field it can be difficult to assess the skills and roles needed. The framework provides a consistent set of definitions and requirements to assess an organization's needs, and clear pathways to hiring or developing the right personnel to meet those needs.
The framework comprises multiple components, which are described below, and can be useful for a variety of audiences. Organizations can use it to identify the skills they need to develop, individuals can use it to identify career paths and specializations, and educators or training organizations can use the framework to develop curriculum and educational materials. The NICE components include:
- Categories: These describe seven functional areas an organization's cybersecurity program must address, including Securely Provision, Operate and Maintain, Oversee and Govern, Protect and Defend, Analyze, Operate and Collect, Investigate.
- Specialty Areas: Within each category the Specialty Areas focus on particular functions that support the successful operation of the category. Each Specialty Area comes with a description of the purpose and typical job functions expected of personnel working in that area. There are 32 in total, denoted by three-letter acronyms, including:
- Securely Provision (SP): Risk Management (RSK), Test and Evaluation (TST)
- Operate and Maintain (OM): Network Services (NET), Systems Administration (ADM)
- Oversee and Govern (OV): Training, Education, and Awareness (TEA), Executive Cyber Leadership (EXL)
- Protect and Defend (PR): Incident Response (CIR), Vulnerability Assessment and Management (VAM)
- Analyze (AN): Threat Analysis (TWA), Exploitation Analysis (EXP)
- Collect and Operation (CO): Collection Operations (CLO), Cyber Operational Planning (OPL)
- Investigate (IN): Cyber Investigation (INV), Digital Forensics (FOR)
- Work Roles: The Work Roles describe specific positions which make up a mature cybersecurity capability. When used outside of government agencies the titles may not be as applicable, but they are still useful to describe the roles, responsibilities, and assignments that should be made. Work Roles are described with a sequential ID number that includes the Category and Specialty Area, e.g., SP-DEV-001 and SP-DEV-002 are Software Developer and Software Assessor, respectively. They belong to the Securely Provision Category and Software Development Specialty Area.
- Knowledge, Skills and Abilities (KSAs): The KSAs describe the competencies necessary for workers in particular roles to achieve the organization's overall cybersecurity objectives. Knowledge is information which the user has and can be applied to the task at hand, while Skills are the observable actions a user takes in a given role, such as performing an incident investigation, writing a policy, or executing an audit. Abilities describe the competence, or the capability to do a task successfully, for the various work roles.
- Tasks: These are specific defined units of work required to achieve the goals of the work role or roles needed to satisfy a Specialty Area. These tasks describe the lowest level of work activities that the organization's cybersecurity workforce should be able to perform, and cover common duties like securely configuring network equipment, developing and applying threat models for risk assessment, and coordinating incident response with appropriate external organizations like law enforcement or public relations firms.
As a NIST standard the NICE Framework is most often used by US Federal Government agencies, but it is a free resource and can be utilized by any organization including state governments, for-profit businesses, and non-profits. An organization can break down their needs by Category and Specialty Areas, and measure whether adequate staff and skills exist to cover the Work Roles. Where gaps exist, training and workforce development can be applied to develop the cyber workforce and ensure adequate protection for information and systems.