The National Initiative for Cybersecurity Education (NICE) has released draft supplemental content to the Workforce Framework for Cybersecurity (NICE Framework). Draft NIST Interagency or Internal Report (NISTIR) 8355, NICE Framework Competencies: Assessing Learners for Cybersecurity Work, elaborates on Competencies, which were re-introduced to the NICE Framework in 2020. The NISTIR provides more detail on what NICE Framework Competencies are, including their evolution and development and example uses from various stakeholder perspectives.
Released in conjunction with NISTIR 8355 is a draft NICE Framework List of Competencies that provides a proposed list of 54 Competencies for the cybersecurity workforce.
Note to Reviewers:
This draft publication assumes some existing knowledge of the NICE Framework and is expected to be read in that context. When providing comments, please consider the following:
- We would like to develop detailed use cases that can be used as implementation models. This document provides some high-level example uses, and it would be helpful to know if these are the primary use cases and what other might exist.
- It will be important to distinguish uses cases for when NICE Framework Work Roles and Competencies might need to be used separately as well as when they can be used in tandem.
- The accompanying NICE Framework Competencies list groups the Competencies by type (technical, operational, professional, or leadership). We are seeking to understand whether providing types is valuable and, if so, if the currently identified types meet needs.
- Currently, the Competencies list includes some identified by the type “professional”—often thought of as employability or soft skills. Moving forward, we are seeking to understand how these important capabilities should be a part of Competencies; for instance, whether they should be:
- Included as NICE Framework Competencies, with associated TKS statements.
- Included as Knowledge or Skill statements that would be added to NICE Framework Competencies (note that TKS statements in the NICE Framework do not currently reflect professional capabilities).
- Not included directly; instead, the NICE Framework should simply reference other resources that provide details about professional capabilities that apply across multiple workforces.
- Additionally, there are various existing professional skills models in existence, many of which were consulted in the development of the NICE Framework Competencies. Moving forward, we will need to determine if the Competencies should reference a single extant model should be used (and which one) or if multiple models should be assessed to determine which professional capabilities to integrate.
- The NICE Program office would like to learn more about if and how proficiency levels (e.g., basic, intermediate, and advanced) should be incorporated into NICE Framework Competencies. It will be helpful to identify specific use cases around the use of proficiency levels and Competencies to help us better understand needs in this space, including references to extant models that should be considered in this effort.
NICE is in the process of defining a change process for regular updates and input in the NICE Framework components (Competencies, Work Roles, and TKS statements) to allow for adjustments to address, for instance, changes in technology and use. In addition, this process will be used to identify gaps (such as operational technology) that currently exist. Understanding more about gaps and how they can be addressed will be helpful in advance of our planning.