With a December deadline fast approaching to recode IT, cybersecurity and other cyber-related positions as required under the Federal Cybersecurity Workforce Assessment Act of 2015, agencies now have a key piece to that effort.
The National Initiative for Cybersecurity Education (NICE) program in the National Institute of Standards and Technology released the latest iteration of its cybersecurity workforce framework, turning work roles into codes that the Office of Personnel Management can input into their system to track hiring and training.
Bill Newhouse, the deputy director of NICE, said the congressional requirements combined with the latest framework will help agencies better understand and explain where their cyber workforce gaps exist and how to fill them.
“The process is going to end up with positions in the federal government being coded if they have cyber work involved in them and there is some threshold that is used. Up to three work roles can be coded into a position,” said Newhouse in an interview with Federal News Radio. “The framework has 55 work roles. My position in the federal government would be research and development and maybe some policy work.”
He said doing that for every agency will take some time, especially to get the data normalized.
But once it’s done, Newhouse said agencies will have new standardized data to make workforce decisions.
Earlier this year, results from a couple of agencies showed the difficulty in not only tracking, but hiring and training qualified workers. Federal News Radio obtained the workforce assessment reports from the Energy Department and the General Services Administration.
Energy surveyed 624 IT or cybersecurity employees and found 281 (45 percent) held “the appropriate industry-recognized certifications as identified under the National Initiative for Cybersecurity Education.”
The General Services Administration surveyed 38 IT or cyber workers and found 19 (50 percent) had the certifications.
OPM initially issued guidance in August 2016 to implement the law, and then followed up with additional guidance in January with revised and standardized data codes for IT and cyber positions.
Newhouse said NICE issued a request for information and received more than 90 responses that will help inform the recommendations due in mid-September.
Related to the job codes effort, framework also will further improve the Homeland Security Department’s position description tool.
DHS launched the Cyber Management Support Initiative Push Button in 2016 and a few agencies have been testing it out. OPM said at the time the tool would help address one of the biggest challenges for agencies crafting job announcements that accurately describe the specific skills they need.
The DHS tool takes advantage of the framework in describing the specialty areas, and knowledge, skills and abilities (KSAs) and tasks for cyber positions.
“One of the things that happens in the federal government and the private sector is job vacancy announcements and position descriptions don’t make it easy to measure immediately if they are talking about cybersecurity. Sometimes the word will be in there and sometimes they will not,” Newhouse said. “Our ability to even say how many job vacancies right now are posted that say cybersecurity takes a bit of a personal filter. If the PD tool were being used it would be more obvious and that would help the federal government at least count how many vacancies are out there today, and continue to do better metrics on all this so we are able to see trends faster and see progress.”
NIST also will use the framework to update its special publication 800-16, Role-based training for cybersecurity and IT, and include cyber competencies.
Newhouse said many people want to talk about workforce in terms of competencies.
NICE also is trying to make it easier for companies and agencies to use the framework. Newhouse said his office created a reference resource spreadsheet to make it easier to see how the knowledge, skills and abilities and tasks relate to the work roles. He said NICE also is looking at creating a machine readable and relational database version of the framework to improve the usefulness of the framework.
Newhouse said at NICE will further discuss the new framework at its annual conference in November in Dayton, Ohio.
He said the goal is help the public and private sectors adopt and use the framework as they develop their cyber workforces.
“If we all start using this common language, we’ll know what we are talking about faster and together,” he said. “Clearly employers can grab the framework and do things like assess their workforce against the work roles. The framework has a definition of what each work role is essentially covering, what the space is. It’s very specific in that it has a list of knowledge statements, skill statements and ability statements as well as tasks that people who work in those work roles may be undertaking. From that, you can decide how specific you want to be to assess your workforce.”