National Cybersecurity Workforce Framework
What is the Workforce Framework?
The National Initiative for Cybersecurity Education (NICE) developed the National Cybersecurity Workforce Framework (the Workforce Framework) to define the cybersecurity workforce and provide a common taxonomy and lexicon by which to classify and categorize cybersecurity professionals.
The Workforce Framework is a dictionary. It provides a consistent way of defining the cybersecurity population using standardized terms. This is an essential step in ensuring that our country is able to educate, recruit, train, develop, and retain a highly-qualified workforce. It lists and defines 31 common types of cybersecurity work and provides a description of each. Each of the types of work is placed into 1 of 7 overall categories. The 31 common types of work are known as Specialty Areas. The Workforce Framework also identifies common tasks and knowledge, skills, and abilities (KSAs) associated with each specialty area.
The Workforce Framework is a tool. It provides the groundwork, or a baseline, by which organizations can develop their Human Capital Management programs, including defining roles, designing competency models, standardizing job descriptions, and providing specialized training. The Workforce Framework will be used as guidance to the federal government, and will be made available to the private, public, and academic sectors for describing cybersecurity work and workforces, as well as related education, training, and professional development.
The Workforce Framework is a collaborative effort. The Workforce Framework was developed as a direct result from the White House’s need to quickly identify, quantify, and develop an effective cybersecurity workforce to develop our nation’s critical cyber infrastructure. The Workforce Framework is the output of a collaborative effort engaging over 20 Federal departments, agencies, and numerous national organizations from within academia and private industry. Each recognized a need to define the nation’s cybersecurity workforce. In development since 2010, Version 1.0 of the Workforce Framework was published on August 22, 2012.
Cybersecurity is essential to protecting our nation’s technology infrastructure against increasing cyber threats and attacks. The work of cybersecurity professionals is critical and, as a nation, consistency in how the cybersecurity workforce is defined and categorized is vital. Furthermore, individuals performing cybersecurity work must be identified and quantified for effective workforce planning.
In response to these needs, an effort began in 2010 to establish a framework that describes the cybersecurity workforce. These efforts evolved as more than 20 Federal departments and agencies contributed to the process. The result was the development of the National Cybersecurity Workforce Framework (the Workforce Framework) by the National Initiative for Cybersecurity Education (NICE).
The purpose of the Workforce Framework is to describe cybersecurity work irrespective of organizational structures, job titles, or other potentially idiosyncratic conventions. In designing the Workforce Framework, “categories” and “specialty areas” were used as an organizing construct to group similar types of work. The categories, serving as an overarching structure for the Workforce Framework, group related specialty areas together. Within each specialty area, typical tasks and knowledge, skills, and abilities (KSAs) are provided. In essence, specialty areas in a given category are typically more similar to one another than to specialty areas in other categories.
Workforce Framework Development Process
The Workforce Framework was developed consistent with professional guidelines and best practices. Using a comprehensive job analytic approach, data was collected from across the government, and additional information was gathered from academia and the public and private sectors. The Workforce Framework was developed according to the following steps:
Over the past decade, the importance of identifying cybersecurity work and worker requirements has been recognized and addressed extensively at the individual agency, department, and community levels. Many of these previous efforts involved rigorous job analyses. Therefore, the data and information from these efforts provided a technically sound foundation and efficient approach for developing the Workforce Framework.
- Department of Defense (DoD) Cybersecurity Workforce Framework
- Intelligence Community (IC) Cyber Subdirectory
- Office of Personnel Management (OPM) Cybersecurity Model
- National Security Agency (NSA) Computer Network Operations (CNO) Training Roadmaps
- Department of Defense (DoD) 8570: Information Assurance Workforce Improvement Program Manual
- Department of Homeland Security (DHS)
Information Technology (IT) Security Essential
Body of Knowledge (EBK)
Expert Review and Analysis
The above bodies of work along with other collected reports, studies, documents, and discussions with SMEs were used to develop the first draft of the National Cybersecurity Workforce Framework. NICE leadership reviewed the draft Workforce Framework throughout the development process and worked to identify additional SMEs to review. Experts from other government agencies and working groups (e.g., NIST 800-16 Working Group), and from private industry were identified to provide additional input on the initial draft. When possible, quantitative data was gathered on the relevance of the draft specialty areas, and the importance of tasks and KSAs considered for inclusion in the Workforce Framework. Focus groups were also conducted to refine Workforce Framework content.
Public Comment Period
The draft Workforce Framework was released for public comment in September, 2011. The draft was posted on the National Institutes for Standards and Technology (NIST) website with a request for comments. Concurrently, the Workforce Framework was presented at a variety of industry and government meetings and conferences.
Over 1,300 formal written comments were received and additional feedback was also gathered in targeted focus groups. Over 90 organizations participated in the review and feedback process. These included multiple federal organizations (including agencies in DoD and the IC) as well as interagency federal groups such as the Federal Chief Information Officer Council, and state and local governments. Experts from private industry (e.g., CompTIA, C3, Dell, and IBM) also provided input.
Once all comments were analyzed, the Workforce Framework was updated to incorporate the feedback that reflected new information or provided clarification or other meaningful input. Ultimately most of the edits that were made involved renaming specialty areas and categories to better reflect the cybersecurity work conducted in that area, adding tasks and KSAs, removing tasks and KSAs that were noted as unimportant, and revising tasks and KSAs to improve clarity.
Implementing the Workforce Framework
NICE introduced the Workforce Framework at many conferences and events beginning in 2011 and has sought the input of thousands of subject matter experts (SMEs) to validate the specialty areas, tasks, and KSAs.
Federal organizations have begun to apply the Workforce Framework to their workforce. For example, the Department of Homeland Security’s (DHS) Cyber Workforce Initiative (CWI) Program Office is infusing the Workforce Framework into the development of role-specific competency models for all DHS cybersecurity professionals. The Department of the Navy, Department of Veteran’s Affairs, and The National Security Agency are also in various stages of adoption.
The Office of Personnel Management (OPM) will soon release a data element code, based on the Workforce Framework, which requires Federal organizations to identify each cybersecurity professional's specialty area within Enterprise Human Resources Integration (EHRI).
What's next? Workforce Framework 2.0
The Workforce Framework’s update continues to be planned for draft release in Spring 2014. Its purpose is to keep the Workforce Framework current with the rapidly evolving field of cybersecurity and appeal to the unique workforce needs of private industry, academia, and government.