National Cybersecurity Workforce Framework
What is the Framework?
The National Initiative for Cybersecurity Education (NICE) developed the National Cybersecurity Workforce Framework (the Framework) to define the cybersecurity workforce and provide a common taxonomy and lexicon by which to classify and categorize cybersecurity professionals.
The Framework is a dictionary. It provides a consistent way of defining the cybersecurity population using standardized terms. This is an essential step in ensuring that our country is able to educate, recruit, train, develop, and retain a highly-qualified workforce. It lists and defines 31 common types of cybersecurity work and provides a description of each. Each of the types of work is placed into 1 of 7 overall categories. The 31 common types of work are known as Specialty Areas. The Framework also identifies common tasks and knowledge, skills, and abilities (KSAs) associated with each specialty area.
The Framework is a tool. It provides the groundwork, or a baseline, by which organizations can develop their Human Capital Management programs, including defining roles, designing competency models, standardizing job descriptions, and providing specialized training. The Framework will be used as guidance to the federal government, and will be made available to the private, public, and academic sectors for describing cybersecurity work and workforces, as well as related education, training, and professional development.
The Framework is a collaborative effort. The Framework was developed as a direct result from the White House’s need to quickly identify, quantify, and develop an effective cybersecurity workforce to develop our nation’s critical cyber infrastructure. The Framework is the output of a collaborative effort engaging over 20 Federal departments, agencies, and numerous national organizations from within academia and private industry. Each recognized a need to define the nation’s cybersecurity workforce. In development since 2010, Version 1.0 of the Framework was published on August 22, 2012.
Cybersecurity is essential to protecting our nation’s technology infrastructure against increasing cyber threats and attacks. The work of cybersecurity professionals is critical and, as a nation, consistency in how the cybersecurity workforce is defined and categorized is vital. Furthermore, individuals performing cybersecurity work must be identified and quantified for effective workforce planning.
In response to these needs, an effort began in 2010 to establish a framework that describes the cybersecurity workforce. These efforts evolved as more than 20 Federal departments and agencies contributed to the process. The result was the development of the National Cybersecurity Workforce Framework (the Framework) by the National Initiative for Cybersecurity Education (NICE).
The purpose of the Framework is to describe cybersecurity work irrespective of organizational structures, job titles, or other potentially idiosyncratic conventions. In designing the Framework, “categories” and “specialty areas” were used as an organizing construct to group similar types of work. The categories, serving as an overarching structure for the Framework, group related specialty areas together. Within each specialty area, typical tasks and knowledge, skills, and abilities (KSAs) are provided. In essence, specialty areas in a given category are typically more similar to one another than to specialty areas in other categories.
Framework Development Process
The Framework was developed consistent with professional guidelines and best practices. Using a comprehensive job analytic approach, data was collected from across the government, and additional information was gathered from academia and the public and private sectors. The Framework was developed according to the following steps:
Over the past decade, the importance of identifying cybersecurity work and worker requirements has been recognized and addressed extensively at the individual agency, department, and community levels. Many of these previous efforts involved rigorous job analyses. Therefore, the data and information from these efforts provided a technically sound foundation and efficient approach for developing the Framework.
- Department of Defense (DoD) Cybersecurity Workforce Framework
- Intelligence Community (IC) Cyber Subdirectory
- Office of Personnel Management (OPM) Cybersecurity Model
- National Security Agency (NSA) Computer Network Operations (CNO) Training Roadmaps
- Department of Defense (DoD) 8570: Information Assurance Workforce Improvement Program Manual
- Department of Homeland Security (DHS)
Information Technology (IT) Security Essential
Body of Knowledge (EBK)
Expert Review and Analysis
The above bodies of work along with other collected reports, studies, documents, and discussions with SMEs were used to develop the first draft of the National Cybersecurity Workforce Framework. NICE leadership reviewed the draft Framework throughout the development process and worked to identify additional SMEs to review. Experts from other government agencies and working groups (e.g., NIST 800-16 Working Group), and from private industry were identified to provide additional input on the initial draft. When possible, quantitative data was gathered on the relevance of the draft specialty areas, and the importance of tasks and KSAs considered for inclusion in the Framework. Focus groups were also conducted to refine Framework content.
Public Comment Period
The draft Framework was released for public comment in September, 2011. The draft was posted on the National Institutes for Standards and Technology (NIST) website with a request for comments. Concurrently, the Framework was presented at a variety of industry and government meetings and conferences.
Over 1,300 formal written comments were received and additional feedback was also gathered in targeted focus groups. Over 90 organizations participated in the review and feedback process. These included multiple federal organizations (including agencies in DoD and the IC) as well as interagency federal groups such as the Federal Chief Information Officer Council, and state and local governments. Experts from private industry (e.g., CompTIA, C3, Dell, and IBM) also provided input.
Once all comments were analyzed, the Framework was updated to incorporate the feedback that reflected new information or provided clarification or other meaningful input. Ultimately most of the edits that were made involved renaming specialty areas and categories to better reflect the cybersecurity work conducted in that area, adding tasks and KSAs, removing tasks and KSAs that were noted as unimportant, and revising tasks and KSAs to improve clarity.
Implementing the Framework
NICE introduced the Framework at many conferences and events beginning in 2011 and has sought the input of thousands of subject matter experts (SMEs) to validate the specialty areas, tasks, and KSAs.
Federal organizations have begun to apply the Framework to their workforce. For example, the Department of Homeland Security’s (DHS) Cyber Workforce Initiative (CWI) Program Office is infusing the Framework into the development of role-specific competency models for all DHS cybersecurity professionals. The Department of the Navy, Department of Veteran’s Affairs, and The National Security Agency are also in various stages of adoption.
The Office of Personnel Management (OPM) will soon release a data element code, based on the framework, which requires Federal organizations to identify each cybersecurity professional's specialty area within Enterprise Human Resources Integration (EHRI).
What's next? Framework 2.0
The Framework’s update continues to be planned for draft release in Spring 2014. Its purpose is to keep the Framework current with the rapidly evolving field of cybersecurity and appeal to the unique workforce needs of private industry, academia, and government.