Security

NICE Framework Defines the Specifics of Federal Cybersecurity Jobs

The guidelines create a common language for agencies to discuss hiring needs.

Carolyn Shapiro is a freelance journalist based in Burlington, Vt., with expertise in covering business and technology, health and science, consumer issues and the food industry.

During the final round of the annual President’s Cup Cybersecurity Competition in December 2022, competing teams had to find their way out of virtual escape rooms by solving various cyber challenges. In one, they received USB fobs with keys that unlocked hidden files.

“There were clues there to look in your system’s memory, and then get a four-digit PIN code to get out of the first room,” explains Rob Karas, assessments branch chief for the Cybersecurity and Infrastructure Security Agency, which designs and hosts the competition.

The President’s Cup gathers participants from across the federal workforce to test their cybersecurity skills and reward the most talented among them. CISA builds the competition’s challenges on the Workforce Framework for Cybersecurity, commonly known as the NICE Framework, an acronym based on an earlier name for the program.

The framework outlines and defines broad categories of knowledge for different areas of cybersecurity expertise and drills down into more detailed work roles to identify skills that cyber workers need for specific jobs.

Click below to learn more about cybersecurity in the federal space.

What Is the NICE Framework?

The President’s Cup exemplifies the way the NICE Framework is used by multiple federal agencies, as well as in academia and private industry, to pinpoint the proficiencies of cybersecurity work. The goal is to provide universal terminology that supports the ever-growing demand for a robust cybersecurity workforce across government sectors.

It’s a “lingua franca,” a common means of communication among groups of different backgrounds, says James Stanger, chief technology evangelist for CompTIA, which supports the tech industry and its professionals with education, training, certification programs and market research.

Even within the realm of U.S. government information technology, various specialty areas don’t speak the same language. But they all struggle to funnel more people into cybersecurity careers while helping those with tenure in the field to update their knowledge and skills.

“One of the major reasons why NICE was created was because, basically, we need more workers,” Stanger says. “We need upskilled workers, and this is an industrywide problem. This is why NICE is so admirable.”

The National Institute of Standards and Technology developed the NICE Framework in 2017. The idea to codify descriptions of cybersecurity work, though, started about 10 years earlier among agencies that realized they didn’t have well-defined roles for cybersecurity and couldn’t easily hire for needed positions until they did.

“There wasn’t that common language to help describe what people in these different cybersecurity positions within different agencies were doing,” says Karen Wetzel, manager of the NICE Framework for NIST.

“When one person moved to another position, it was unclear as to what that job meant or what that role was meant to be,” she adds.

When somebody says, ‘I need a cyberdefense analyst,’ everybody knows what they need, or it sets the playing field level. So, we know what we’re all talking about now.”

Rob Karas Assessments Branch Chief, Cybersecurity and Infrastructure Security Agency

How Does the NICE Framework Work?

The NICE Framework starts with seven broadly written categories of cybersecurity work, covering any employee who has the knowledge and skills to manage risks to the enterprise.

“It’s a series of task statements that describe the work to be done,” Wetzel explains, “and knowledge and skill statements that describe what someone needs to know or be able to do in order to complete those tasks.”

From the broader categories, the framework further defines work roles, which are distinct from job titles. They’re areas of responsibility, Wetzel says; a single job may encompass several work roles. For example, an employee might not have an official designation as a cybersecurity practitioner but does have some cybersecurity skills that match a NICE work role.

A job announcement released about a month ago, for example, sought an IT cybersecurity specialist — a broad title. “If you look at the description, though, it gives examples of typical work assignments,” Wetzel says.

One is to “perform real-time cyber defense incident handling tasks” to support deployment of incident response teams. Another responsibility is policy analysis to mitigate risks from IT system vulnerabilities.

The language pulls directly from statements in the NICE Framework, Wetzel says. “You can see that this job is likely a security control assessor role.”

How Do Federal Agencies Use the NICE Framework?

The NICE Framework primarily serves as a roadmap for hiring, helping agencies find the right people with the right skills and put them where they can best apply those skills. The NICE Framework serves as a starting point for agencies to adapt it to their own needs. Hiring leaders can write in specific responsibilities and experience they want a worker to have in a certain position.

“So, it’s been able to help with retention, help with growth and help with making sure that they are kept up with the most recent issues that are in the space.”

In 2020, NIST revised the framework “to embrace those qualities of agility and flexibility,” Wetzel says.

The 2020 update also allows cybersecurity workers to better fit their own skills to available jobs. NICE gives cyber workers the flexibility to prove their proficiency through formal certification, prior work or informal learning and experience.

8,376

The number of federal cybersecurity job openings as of June 15, 2023

Source: cyberseek.org, “Cybersecurity Supply/Demand Heat Map,” June 15, 2023

“In cybersecurity, where things are changing all the time, you’re going to need to have experiences that aren’t necessarily formalized in a certain environment yet,” Wetzel says.

“Having a framework that can demonstrate what those capabilities are and having people be able to express how they are able to apply those capabilities is really useful, particularly when we have need for so many people in this field.”

At a recent CISA hiring fair, Karas says, he came in to “triage” by looking at candidates’ resumes, figuring out the positions that best suited them and sending them to the proper hiring managers. NICE enables IT leaders to better understand the strengths of prospective employees.

“When somebody says, ‘I need a cyberdefense analyst,’ everybody knows what they need, or it sets the playing field level,” Karas says. “So, we know what we’re all talking about now.”

The NICE Framework also supports cybersecurity career development in grade school and high school by giving educators the proper language to prepare students with interest and talent to feed into the future workforce. The National Cyber League provides virtual training and competitive challenges for high school and college students on platforms derived from NICE guidelines.

DIVE DEEPER: Learn how federal agencies can benefit from a diverse IT staff.

How Does the NICE Framework Benefit Federal Agencies?

The NICE Framework includes assessment features to make sure cyber employees meet performance standards and determine if they might better fill gaps in other areas. It also helps agencies prepare for security risks to come and the workforce they’ll need down the road.

“You can make sure that you’re bringing in candidates who are going to be able to do this work and that you’re going to be able to assess them accordingly,” Wetzel says. “You then have stronger candidates, because they’re able to see themselves in those jobs, and agencies can have stronger hires. That helps with things like retention.”

The U.S. government has played catch-up with cybersecurity for decades, says John Pescatore, director of emerging security trends for the SANS Institute, an information security cooperative that provides education, certification and other resources to cyber professionals.

“We need so many security people because so many IT systems are built badly from a security standpoint,” Pescatore says. “It’s not like security comes along and opens a bottle of magic security sauce and pours it on things. Quite often, the old legacy systems have to be redone.”

The COVID-19 pandemic and subsequent shift to remote work accelerated the push toward zero-trust environments and multifactor authentication, and the NICE Framework helps federal agencies address the inherent security risks, he says. The cloud and the Internet of Things have moved security needs from centralized buildings to every possible endpoint, Pescatore says.

Wetzel acknowledges that future NICE revisions will incorporate changing trends. If agencies express a need to delineate zero-trust skills, NIST can add those to the framework.

Cloud security is one area that NICE is likely to address with more focus, Wetzel says. Artificial intelligence is another.

“We’re not going to say the NICE Framework is done,” Wetzel says. “It is going to be constantly evolving and being adjusted in order to meet needs.”

FangXiaNuo/Getty Images