NIST Framework to Evolve
The National Initiative for Cybersecurity Education (NICE) framework defines specific cyber workforce roles. They recently added new competency areas and updated skills and tasks to help agencies better understand and meet their cyber workforce needs.
According to Karen Wetzel, NIST’s manager of the NICE framework, “I really want to focus on where we’re going. And that’s continuing to evolve. We’re wanting to meet not only today’s needs, but the future needs, and we want to help you all as we are starting to do that.”
Upcoming changes will include updating the 52 roles currently in the framework to eventually include risk analysis, product security, procurement security, and program management positions. NIST is currently working with the Justice Department and the FBI to update investigation roles by looking at digital evidence forensics and making sure that’s still pertinent and useful, Wetzel said. NIST is also planning to incorporate AI when updating skills definitions.
A March update added 11 new competency areas, including AI security, cloud security, and cyber resiliency, as well as more than 2,000 tasks, knowledge, and skill statements. Wetzel wants to minimize tech speak so that it’s easier to understand what the core work is, what the responsibilities are, what people need to know, and what they need to do. Over the next several months, the group will begin creating even more open groups, hoping to engage with stakeholders and cyber workforce experts as NIST further develops the framework and competencies for cyber roles.
Currently, the federal cyber workforce skews older than the overall federal workforce, while there are thousands of vacant cyber roles across the government. According to a survey from the SANS Institute, just 14% of organizations said they use the NICE framework for their job postings. The NICE framework can help agencies understand and address challenges, focusing on specific skills to help set more realistic expectations and more effective outcomes in hiring and retention.
Cyber experts also recommend selecting job candidates based on the skills agencies need in the short term and then investing in upskilling and training opportunities to build those employees’ skills for the future.
“Everybody wants that purple unicorn — the person with three to five years of experience, who has all of the right certifications, who’s able to come in and hit the ground running, without having any kind of training or organizational knowledge,” Wetzel said. “But that’s not realistic.”