NIST aims to cut ‘tech speak’ from cyber workforce framework

The NICE framework, which defines cyber workforce roles, just added new competencies and updated skills. But for cyber leaders at NIST, that’s only the start.

After recent changes to the framework that defines cyber roles across government, leaders at the National Institute of Standards and Technology are already looking ahead to keep the needle moving on strengthening the federal cyber workforce.

The National Initiative for Cybersecurity Education (NICE) framework, which defines specific cyber workforce roles, just added several new competency areas, and updated skills and tasks to try to help agencies better understand and meet their cyber workforce needs. But for Karen Wetzel, NIST’s manager of the NICE framework, that’s only the start.

“I really want to focus on where we’re going. And that’s continuing to evolve,” Wetzel said during a hybrid conference NIST hosted on Tuesday. “We’re wanting to meet not only today’s needs, but the future needs, and we want to help you all as we are starting to do that.”

As a result, even more changes are coming — including updating the current 52 roles included in the framework, as well as adding even more roles on top of that. The framework’s roles will eventually include positions in risk analysis, product security, procurement security and program management.

“This is not a field that stays the same, and in a lot of these work roles, even though the content underneath them has been updated, we have not reviewed them in that context since 2017,” Wetzel said. “What we’re looking at is reviewing existing workflows.”

As an example, NIST is currently working with the Justice Department and the FBI to update investigation roles by looking at digital evidence forensics and making sure that’s still pertinent and useful, Wetzel said.

NIST is also planning to incorporate AI when updating its skills definitions.

“We understand that AI is going to have an impact across a number of our existing work roles. We need to have an understanding of what will that impact be, and how to make sure people are trained to be able to prepare for that,” Wetzel said. “This is really about understanding this constant evolution, knowing that when we have this out, it’s not going to be a static thing, but something that we engage with the community on. We really are working from that employer perspective about what the needs are, and working with the subject matter experts to make sure that our content is up-to-date and useful.”

The planned changes come after a March update to the NICE framework, which added 11 new competency areas, including AI security, cloud security and cyber resiliency, as well as more than 2,000 task, knowledge and skill statements.

“With that, we [tried] to make it so that we don’t have that ‘tech speak’ — and make it easier to understand what the core work is, what the responsibilities are and what people need to know,” Wetzel said. “And not only that, but have those knowledge and skills to understand what they need to do.”

After creating a new working group on cyber resiliency, Wetzel said over the next few months her team will also begin creating even more open groups, hoping to engage with stakeholders and cyber workforce experts as NIST further develops the framework and competencies for cyber roles.

For years, officials across government and industry have been grappling with a deficit of qualified cyber talent. A big part of the challenge is not only filling cyber roles, but also ensuring there’s a “next generation” of the cyber workforce.

Currently, the federal cyber workforce skews older than the federal workforce overall. At the same time, according to Cyberseek, an organization funded by NIST, there are thousands of vacant cyber roles across government.

But right now, just 14% of organizations said they use the NICE framework for their job postings, according to a survey from the SANS Institute. Wider adoption of the framework could improve how cybersecurity leaders work with HR managers to fill skills gaps, SANS said in a recent report.

Beyond simply bringing people on board, it’s also a matter of cyber workforce retention, which Wetzel said is a struggle for a lot of agencies.

“It can be a stressful job,” she said. “How do we retain people? And how do we make sure there are career pathways for people who want to come into this, so we aren’t losing them? Not just because of burnout, but because they don’t have any way to continue in their career pathways.”

The NICE framework can help agencies understand and address a lot of those challenges, Wetzel said. The idea is to focus on specific skills to help set more realistic expectations and more effective outcomes in hiring and retention. Agencies can use the NICE framework, for instance, when creating position descriptions or picking candidates for open cyber roles.

To try to address the retention challenge, cyber experts have also recommended selecting job candidates based on the skills agencies need in the short term, and then invest in upskilling and training opportunities to build those employees’ skills further down the road. Over the next year, the Biden administration also plans to shift the government’s primary IT job series away from relying on college degree requirements, and instead toward skills-based hiring.

“Everybody wants that purple unicorn — the person with three to five years of experience, who has all of the right certifications, who’s able to come in and hit the ground running, without having any kind of training or organizational knowledge,” Wetzel said. “But that’s not realistic.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories