National Cybersecurity Workforce Framework
What is the Framework?
The National Initiative for Cybersecurity Education (NICE) developed the National Cybersecurity Workforce Framework (the Framework) to define the cybersecurity workforce and provide a common taxonomy and lexicon by which to classify and categorize cybersecurity professionals.
The Framework is a dictionary. It provides a consistent way of defining the cybersecurity population using standardized terms. This is an essential step in ensuring that our country is able to educate, recruit, train, develop, and retain a highly-qualified workforce. It lists and defines 31 common types of cybersecurity work and provides a description of each. Each of the types of work is placed into 1 of 7 overall categories. The 31 common types of work are known as Specialty Areas. The Framework also identifies common tasks and knowledge, skills, and abilities (KSAs) associated with each specialty area.
The Framework is a tool. It provides the groundwork, or a baseline, by which organizations can develop their Human Capital Management programs, including defining roles, designing competency models, standardizing job descriptions, and providing specialized training. The Framework will be used as guidance to the federal government, and will be made available to the private, public, and academic sectors for describing cybersecurity work and workforces, as well as related education, training, and professional development.
The Framework is a collaborative effort. The Framework was developed as a direct result from the White House’s need to quickly identify, quantify, and develop an effective cybersecurity workforce to develop our nation’s critical cyber infrastructure. The Framework is the output of a collaborative effort engaging over 20 Federal departments, agencies, and numerous national organizations from within academia and private industry. Each recognized a need to define the nation’s cybersecurity workforce. In development since 2010, Version 1.0 of the Framework was published on August 22, 2012.
Cybersecurity is essential to protecting our nation’s technology infrastructure against increasing cyber threats and attacks. The work of cybersecurity professionals is critical and, as a nation, consistency in how the cybersecurity workforce is defined and categorized is vital. Furthermore, individuals performing cybersecurity work must be identified and quantified for effective workforce planning.
In response to these needs, an effort began in 2010 to establish a framework that describes the cybersecurity workforce. These efforts evolved as more than 20 Federal departments and agencies contributed to the process. The result was the development of the National Cybersecurity Workforce Framework (the Framework) by the National Initiative for Cybersecurity Education (NICE).
The purpose of the Framework is to describe cybersecurity work irrespective of organizational structures, job titles, or other potentially idiosyncratic conventions. In designing the Framework, “categories” and “specialty areas” were used as an organizing construct to group similar types of work. The categories, serving as an overarching structure for the Framework, group related specialty areas together. Within each specialty area, typical tasks and knowledge, skills, and abilities (KSAs) are provided. In essence, specialty areas in a given category are typically more similar to one another than to specialty areas in other categories.
Framework Development Process
The Framework was developed consistent with professional guidelines and best practices. Using a comprehensive job analytic approach, data was collected from across the government, and additional information was gathered from academia and the public and private sectors. The Framework was developed according to the following steps:
Over the past decade, the importance of identifying cybersecurity work and worker requirements has been recognized and addressed extensively at the individual agency, department, and community levels. Many of these previous efforts involved rigorous job analyses. Therefore, the data and information from these efforts provided a technically sound foundation and efficient approach for developing the Framework.
The primary materials used to create the first draft of the Framework are listed below. A brief description, including details regarding the development of each product, is included.
- Department of Defense (DoD) Cybersecurity Workforce Framework -The DoD Framework is composed of cybersecurity functional roles, associated job tasks, and the knowledge, skills, and abilities (KSAs) required to perform those tasks. This content was compiled by organizational psychology experts and reviewed by subject matter experts (SMEs) through a series of focus groups. The final framework was reviewed and revised by additional SMEs and stakeholders; 118 SMEs across Air Force, Army, Navy, Marines, and NSA participated in the development of this framework.
- Intelligence Community (IC) Cyber Subdirectory - The IC Cyber Subdirectory presents a comprehensive list of competencies and knowledge, skills, and abilities (KSAs) needed by IC cybersecurity professionals to fulfill mission requirements. Subdirectory content was gathered through a data call to 16 IC elements and was compiled by organizational psychology experts. A series of focus groups with 11 SMEs from across the IC was conducted with an additional review from other SMEs and senior IC stakeholders. Finally, an electronic questionnaire was completed by 51 cybersecurity professionals from across the IC (including the, Central Intelligence Agency, Defense Intelligence Agency, Office of the Director of National Intelligence, Department of Defense Cyber Crime Center, Department of Homeland Security, Federal Bureau of Investigation, National Security Agency, Department of State, and intelligence elements of the U.S. Air Force and U.S. Army) to gather confirmatory data for the competencies and KSAs.
- Office of Personnel Management (OPM) Cybersecurity Model - The OPM model for cybersecurity includes core and technical competencies for cybersecurity professionals across four occupational series. This competency model was developed through focus groups and an electronic questionnaire sent to approximately 50,000 employees and supervisors with significant responsibilities for some aspect of cybersecurity. Participation for both of these efforts was across the Federal government.
- National Security Agency (NSA) Computer Network Operations (CNO) Training Roadmaps - The CNO roadmaps establish job tasks and KSAs for CNO work roles and the training available to develop different levels of proficiency within those roles. A series of focus groups with SMEs from each work role were conducted to refine work role definitions and draft lists of tasks and KSAs for the roadmap while National Cryptologic School (NCS) curriculum managers, instructors, and other experts from 34 curricula reviewed the linkages and provided proficiency information.
- Department of Defense (DoD) 8570: Information Assurance Workforce Improvement Program Manual - DoD 8570 provides guidance and procedures for training, certification, and workforce management of the DoD Information Assurance (IA) work functions. A series of working groups helped to develop the manual by identifying public and private sector resources relevant to IA and then organizing the resources by function and work level.
- Department of Homeland Security (DHS)
Information Technology (IT) Security Essential
Body of Knowledge (EBK) - The EBK summarizes the IT security skill requirements for the IT security workforce and links competencies and functional perspectives to IT security roles. A working group developed the EBK, and a series of role-specific focus groups were conducted to ensure content across IT security roles as fully represented. Input from the private sector, government, and academia was obtained. In addition, public comment was provided through the Federal Register and incorporated into the final document.
Expert Review and Analysis
The above bodies of work along with other collected reports, studies, documents, and discussions with SMEs were used to develop the first draft of the National Cybersecurity Workforce Framework. NICE leadership reviewed the draft Framework throughout the development process and worked to identify additional SMEs to review. Experts from other government agencies and working groups (e.g., NIST 800-16 Working Group), and from private industry were identified to provide additional input on the initial draft. When possible, quantitative data was gathered on the relevance of the draft specialty areas, and the importance of tasks and KSAs considered for inclusion in the Framework. Focus groups were also conducted to refine Framework content.
Public Comment Period
The draft Framework was released for public comment in September, 2011. The draft was posted on the National Institutes for Standards and Technology (NIST) website with a request for comments. Concurrently, the Framework was presented at a variety of industry and government meetings and conferences. The Framework was also briefed to numerous stakeholder groups throughout the federal organizations participating in NICE.
Over 1,300 formal written comments were received and additional feedback was also gathered in targeted focus groups. Over 90 organizations participated in the review and feedback process. These included multiple federal organizations (including agencies in DoD and the IC) as well as interagency federal groups such as the Federal Chief Information Officer Council, and state and local governments. Experts from private industry (e.g., CompTIA, C3, Dell, and IBM) also provided input.
Finalizing the Framework
Once all comments were analyzed, the Framework was updated to incorporate the feedback that reflected new information or provided clarification or other meaningful input. As in any large-scale adjudication process, some contradictory feedback was received. In these instances additional review was conducted to reconcile the feedback and identify the optimal revision to be made to the Framework. Ultimately most of the edits that were made involved renaming specialty areas and categories to better reflect the cybersecurity work conducted in that area, adding tasks and KSAs, removing tasks and KSAs that were noted as unimportant, and revising tasks and KSAs to improve clarity. The limited extent of the revisions needed to finalize the Framework is a reflection of the robust development process.
Implementing the Framework
NICE introduced the Framework at many conferences and events beginning in 2011 and has sought the input of thousands of subject matter experts (SMEs) to validate the specialty areas, tasks, and KSAs.
Federal organizations have begun to apply the Framework to their workforce. For example, the Department of Homeland Security’s (DHS) Cyber Workforce Initiative (CWI) Program Office is infusing the Framework into the development of role-specific competency models for all DHS cybersecurity professionals. The Department of the Navy, Department of Veteran’s Affairs, and The National Security Agency are also in various stages of adoption.
The Federal Information Security Management Act (FISMA) survey will soon require Federal organizations to respond to questions regarding training and codification of cybersecurity professionals.
The Office of Personnel Management (OPM) will soon release a data element code, based on the framework, which requires Federal organizations to identify each cybersecurity professional's specialty area within Enterprise Human Resources Integration (EHRI).