I joined NIST as the first full-time manager of the NICE Framework in October 2020, just one short month before NICE published the first revision NIST Special Publication 800-181, the NICE Workforce Framework for Cybersecurity (NICE Framework). That revision – far from finalizing work – was the starting point that led us to a complete refresh of the NICE Framework components, which includes:
- Revised Work Role Categories and Work Roles – including one new Work Role.
- Eleven new Competency Areas that extend the Framework’s cybersecurity knowledge and skills.
- Updated Task, Knowledge, and Skill (TKS) statements that are more modular, consistent, and clear for easier use.
These components were released as Version 1.0.0 on March 5, 2024.
Why is a Workforce Framework for Cybersecurity Important?
Managing cybersecurity risks is essential in today’s digital world, and cybersecurity is an increasingly interdisciplinary field that offers high-paying, in-demand work opportunities. The NICE Framework uses clear language to describe cybersecurity work and those who perform it in a standardized way, regardless of where they are positioned in the organizational structure. It is used across the public and private sectors and from large to small organizations for career discovery, education and training, and hiring and workforce planning. The updates to the NICE Framework components help individuals, educators, and employers prepare to meet today’s demands for cybersecurity-related jobs by describing cybersecurity Work Roles and Competency Areas and the tasks, knowledge, and skills needed to support them.
What we’ve seen as a result is an improved understanding of how NICE Framework Work Roles and Competency Areas can be used to create job descriptions, support skills-based hiring, increase diversity and grow the talent pipeline, and provide greater visibility into how an organization’s risk is managed, vulnerabilities mitigated, and incidents addressed. It is used in K-12 schools to introduce the broad variety of jobs that have cybersecurity responsibilities; by institutions of higher education, training organizations, and certification bodies to help provide individuals with the skills and knowledge they need to succeed in the workplace; in cybersecurity skills competitions, online tools, and support services to guide career pathways; and by employers and employees to help shape professional development plans and enable career advancement. In short, it is the foundation for the broad ecosystem that works together to advance the cybersecurity workforce.
What’s Next?
Technology has far-reaching impact on our lives, culture, and workplaces. The recent COVID pandemic accelerated many of these changes, the pace of which has shown no signs of slowing down. We are entering, if not already amidst, what has been called the fourth industrial revolution – the third being the digital revolution. This fourth revolution is characterized by ubiquitous technology in all aspects of our society and the advent of connected cyberphysical systems supported by analytics, artificial intelligence, and advanced engineering. To say that technology has the potential to be disruptive may be an understatement, and for each change there are new security considerations and risks to defend against.
The March components release is a big change. Of the 2,280 total TKS statements in Version 1.0.0, only 139 are retained as they existed in 2017—the last time they were published. The statement updates address consistency, clarity, and redundancy and support skills-based hiring and performance-based assessments by focusing on the work itself and what someone needs to know or do to rather than describing potential abilities. The 11 new Competency Areas allow us to extend the NICE Framework further still. They are clusters of related Knowledge and Skill statements that correlate with one’s capability to perform Tasks in a particular domain. These may be used in conjunction with or independently of Work Roles and focus on high-demand areas as well as represent domains that span multiple Work Roles or that do not yet have established Work Roles. Finally, the release merges two overlapping Work Roles into one—Secure Systems Development—and introduces one new Work Role, Insider Threat Analysis. A full summary of the changes and a mapping of the earlier version to this update are available in the NICE Framework Resource Center.
But v.1.0.0 is not the last expected change or update. Instead, it is a first step in what we know will be a series of steps, leaps, pivots, and jumps. Like the workforce it represents, it will continue to evolve and grow as we plan to develop new Work Roles, build out Competency Areas, and review and revisit existing content to make sure that what is in the NICE Framework reflects current needs to attract, develop, and grow the cybersecurity workforce needed to manage cyberspace risks, while anticipating future shifts in technology and employer needs.
The NICE Framework provides a foundation for a coordinated ecosystem of stakeholders so that together we can advance the cybersecurity workforce. We look forward to what’s next and to having you join us on this journey. Learn about the recent NICE Framework updates, how to engage with us, and find additional supporting resources at the NICE Framework Resource Center: www.nist.gov/nice/framework/.