This blog post is an excerpt from GovLoop’s recent guide, “The People Behind Government Cybersecurity.“
The National Initiative for Cyber Education Workforce Framework (NCWF), developed by the NIST-led National Initiative for Cybersecurity Education (NICE), is designed as a fundamental reference that provides organizations with a common, consistent lexicon to categorize and describe cybersecurity work. The NCWF is a vital resource that defines cybersecurity roles that enable our training and education providers to help us develop a talent pipeline that can meet cybersecurity workforce need of agencies, industry and critical infrastructure providers. The document is a culmination of many years of collaboration between industry, government and academia with the US Department of Defense and Department of Homeland Security being significant contributors.
The need for NCWF stemmed from the nation’s focus on developing the pipeline of talent for the cyber workforce in addition to making sure the workforce would be prepared to meet the most pressing cybersecurity challenges. Before the NCWF was created, there was little consistency throughout the Federal Government in terms of how cybersecurity work is defined, described, and how the workforce is trained. Establishing and implementing standards for cybersecurity workforce and training is a foundational component of the Federal Government’s workforce plan. NIST has published the NCWF as NIST draft Special Publication 800-181.
While the NCWF has been in the making since 2008, some agencies are still figuring out how to employ it. To understand how agencies should use the NCWF to assess workforce needs, train and recruit personnel, GovLoop sat down with Bill Newhouse, Deputy Director of NICE. Newhouse’s role in the development of the document was to evolve the document into being a NIST special publication. Since 1990, NIST’s primary mode of publishing computer/cyber/information security guidelines, recommendations and reference materials has been the 800 series of publications. NICE recognizes the importance of this special publication and made its publication and promotion a strategic objective under the NICE strategic goal, Guide Career Development and Workforce Planning, which aims to support employers to address market demands and enhance recruitment, hiring, development, and retention of cybersecurity talent.
Newhouse explained that the NCWF, more than anything else, serves as a dictionary rather than a prescriptive document. “We didn’t just try to explore the term cybersecurity, but also define different personnel and the different types of roles people would be in,” he said.
Assess Your Workforce Needs
Newhouse advised that agencies first gain an understanding of their workforce needs and identify the key players they are looking for. The NCWF describes cybersecurity work in terms of Categories, Specialty Areas and Work Roles and offers a list of cybersecurity Tasks and the Knowledge, Skills and Abilities (KSAs) that one needs to have to perform that work role. To help understand the various roles of members within a cyber workforce, Newhouse drew an analogy to a beloved American pastime: baseball.
“Baseball organizations are made up of skilled players who must have specific knowledge, skills and abilities to play the game on the field. They also need to have stadium groundskeepers, trainers, medical staff, statisticians/data analysts, front office staff, fan support teams, concessions and a myriad of
people in other roles who influence the success of the organization in measures that grow beyond wins and losses. Cybersecurity much like baseball requires multidisciplinary excellence for success. Some members of the cybersecurity workforce will use tools to defend our networks and data while others will build the tools needed by those defenders. Others will be involved in procurement, training, legal matters and many other areas. The KSAs they bring to the tasks they perform are a key to an organization’s ability to address and mitigate cyberrisks.”
The NCWF outlines the interoperability of cyber skills through seven categories. These categories are designed to provide an overview of the primary areas of practice that agency leaders and recruiters should seek in the cyber workforce. For instance, there is “Oversee and Govern” catered to leadership and management of cybersecurity work and “Operate and Maintain” catered to providing support, administration and maintenance of IT system performance.
Newhouse said that agencies can use the NCWF to assist them in evaluating their own workforce to decide which skills and personnel they need most. Leaders and recruiters can then look within the seven categories to identify relevant work roles and tasks. Once agencies complete this stage, the next steps are to develop training methods.
Train Your Current Workforce
There are more than 50 work roles defined in the framework, which highlights the need for a more well- rounded and diverse cyber workforce. These roles range from “cyber legal advisor” to “vulnerability analyst.” Each work role is defined by extensive sets of related KSAs and tasks. To ensure agencies adequately prepare all members of their cyber workforce to perform their best, training should be based on specialized skills and work roles rather than on blanket approaches that aren’t tailored to individual skillsets.
“Once you’ve identified work roles within your cyber workforce, you can start looking for some common tasks or KSAs within those work roles. This allows an organization to look for training courses which are often described by mappings to the NCWF to meet their workforce KSA or task gaps,” Newhouse said.
Not only should training be catered towards personnel on the cyber frontlines of an agency, but they should also be geared towards other members of an agency. For example, training HR managers on how to use the NCWF is particularly important so they can most efficiently identify recruitment needs and the right candidates.
Recruit Your Workforce
Lastly, Newhouse recommended agencies use the NCWF to recruit personnel based on more than
just years of experience or number of professional certifications. According to Newhouse, it is important that agencies adjust expectations, especially of newer talent. Often, agencies post vacancy announcements calling for five years of experience in addition to an industry certification. The problem is that there’s little evidence of open positions for the entry level professional, who are vital as the next generation
of the cyber workforce. The NCWF framework can actually help agencies attract more students to your agency by using tools like DHS’s Pushbutton PD Tool that builds draft position descriptions. Then adjust job vacancy announcements to use consistent language recognizable to students, education and training providers, and hiring managers.
By using specific work roles from the NCWF and relevant KSAs and tasks, agencies can better tap into the relevant talent they need for their cyber workforce. “As the language of the framework evolves, schools can do a better job of guiding students in terms of what they’ll learn or do in government if they applied to certain cyber vacancies,” Newhouse said.
As a collaboration between the public sector, private sector and academia, the goal of the leaders behind the NCWF is to help agencies and our nation’s industries and critical infrastructure providers build the most well-rounded and capable cyber workforces possible. Ultimately, Newhouse emphasized that the NCWF, if employed correctly, can be used to help agencies better assess their cyber workforce needs, train current personnel and recruit for the future workforce.