The initial version of the government’s cybersecurity workforce framework is only a couple months old. But it’s already having an influence on how agencies and academia think about how their training and education programs will respond to the nationwide shortage of cyber professionals.
The Cybersecurity Workforce Framework, developed by 20 different agencies, is based on the idea that the nation has to define exactly what a cybersecurity professional is before organizations can start to effectively bolster the quality and quantity of employees who design and defend critical technology systems.
The draft version of the document, developed a year ago, already has been used by agencies and universities to refine job descriptions, revamp training and education programs and help industry, academia and government to begin to reach consensus on the makeup of a modern-day cybersecurity workforce, said Peggy Maxon, the director for cyber education strategy at the Department of Homeland Security.
“Within the government alone, there were over 20 different standards or descriptions,” she said during a panel discussion at a recent event in Washington sponsored by the Intelligence and National Security Alliance. “In order to stimulate and build a cybersecurity workforce that’s going to protect our nation in this time of technology, we need to have a common understanding of what a cybersecurity professional is.”
The framework tries to create a common lexicon to describe various job positions in the cybersecurity workforce, much of which is made up of job titles that don’t contain the word “cyber.” Systems administrators, lawyers, forensic analysts, requirements planners and training experts are among a few dozen specialty areas the framework lays out along with general knowledge, skill and ability requirements for each group.
Maxon said the main goal was to set up a system that’s flexible enough to apply to any organization’s existing organizational structure, but still allows the people who hire, train and educate cyber professionals to all speak the same language.
“This becomes a very, very powerful tool for everyone to use,” she said. “It allows a common baseline so that everyone can say, ‘Ok, that’s the kind of skills I want.'”
Changes to federal personnel systems
The National Institute of Standards and Technology published the final 1.0 version of the framework in late August as part of the National Initiative for Cybersecurity Education (NICE). Agencies have been consulting with industry and academia for the past year to refine the 31 separate functional areas that currently make up the framework, but the government has been implementing it at the same time based on its draft form.
The Office of Personnel Management already has made changes to personnel systems so that job descriptions map to the framework, and the plan also already has had in impact on cyber education at colleges and universities across the country, Maxon said.
“An education program co-led by the National Security Agency and DHS now has 166 two-year and four-year universities across the country that have been designated as centers for academic excellence in information assurance or cybersecurity, and they’re linking their curriculum to this,” she said. “So we’re honing not just a definition, but we’re driving education programs throughout the nation.”
One of those centers of excellence is at Virginia Tech, where Dr. Charles Clancy, the director of the university’s Hume Center for National Security and Technology, said the school is trying to build a cyber curriculum based on strong partnerships with both the tech industry and with federal agencies.
“A good example of that is our partnerships with a variety of federal agencies that allow us to get students security clearances while they’re grad students working on projects,” he said. “I think we’ve gotten 63 people cleared through that program in the past two years. What we’ve found is that if students get that mission sense and understand what’s going on behind the curtain, they’re much, much more likely to go into federal service as opposed to going to work in Silicon Valley.”
Joint training across DoD
Maxon said cyber challenges across the country also are using the framework to define the parameters of their competitions.
In the Defense Department, the Defense Information Systems Agency is using the NICE framework to create common, joint cyber training across all of the military services.
“As we look at the various roles an individual would play, we’re making the determination of what’s the appropriate training, skills and knowledge for each of those people as we work toward the development of more modularized training,” Roger Greenwell, DISA’s field security operations director said in a recent interview with Federal News Radio.
Now that version 1.0 of the framework is out, Maxon said agencies will discuss it further at a three-day public workshop beginning Oct. 30 on the NIST campus in Gaithersburg, Md. That forum will help define the next version of the framework, which agencies expect to continue updating to match continuing changes in technology and workforce capability. The functional areas reflected in current version of the document will be updated each year, she said.
In December, NICE will go live with a new website that will serve as an implementation tool for the entire national cybersecurity education initiative.
Additionally, Maxon said the government intends to launch a database to help serve and integrate the training needs of the cyber workforce in industry.
“So that if somebody’s out in California supporting the health sector, or in the middle of the country supporting the transportation sector, they can all go into this and find out where they can get training,” she said. “For example, they can type in a specialty area like digital forensics, and we’ll take them to educational and training curriculum that will help them grow in their career. We’re very excited about all of this, and it will succeed if we can connect it to industry.”
Tom Temin is the host of The Federal Drive, 6 a.m.-10 a.m. on 1500 AM in the Washington, D.C. region and online everywhere.
Tom also writes a weekly commentary. Subscribe to Federal Drive's daily audio interviews on iTunes or PodcastOne