What is the NICE Workforce Framework for Cybersecurity?

The National Initiative for Cybersecurity Education (NICE), led by the National Institute of Standards and Technology (NIST), is a partnership between government, academia and the private sector that works to promote cybersecurity education, training and workforce development.

The NICE Workforce Framework for Cybersecurity, commonly called the NICE Framework, provides a standard way to describe cybersecurity work and the knowledge and skills needed to complete that work. The current framework structure is described in NIST Special Publication 800-181 Rev. 1, Workforce Framework for Cybersecurity (NICE Framework).

NIST maintains the NICE Framework Components separately from SP 800-181 Rev. 1 so they can be updated over time. These components include Work Role Categories, Work Roles, Competency Areas and Task, Knowledge and Skill statements.

The framework provides a great way for employers, human resources personnel and employees to define jobs in the field, speak a common language and identify training needs, career paths and position requirements, as well as agree on proper ways to measure and assess capabilities.

Some older resources refer to the NICE Cybersecurity Workforce Framework or NCWF. Today, NIST most often refers to it as the Workforce Framework for Cybersecurity, or NICE Framework.

Why does the NICE Framework matter?

With a need for standardization in how cybersecurity work is defined, described and supported through training, the NICE Framework has often been used as a reference point for cyber workforce development activities. The framework provides a common language to talk about cyber roles and jobs and can be referenced by those who wish to define professional requirements in cybersecurity.

The NICE Framework matters because it allows the identification of many of the roles within an organization’s cybersecurity structure, as well as the knowledge, skills and capabilities each role should develop and demonstrate, so as to have a team as complete and efficient as possible.

The framework provides guidance on how cybersecurity responsibilities can be organized across an organization and on identifying the right talent by formulating clear position descriptions that specify the qualifications and duties for each role. It also provides a blueprint for how to further develop employees and provide more focused training opportunities.

The document is also very important for certification and training providers that can rely on the information provided to tailor their courses, as well as provide more meaningful assessment based on each role’s characteristics.

The publication, then, can be pivotal in shaping a cybersecurity workforce that meets the needs of today’s organizations. It also provides standard guidance to prevent improvisation and approximation in the shaping of specialized professionals.

NICE Framework development: How it’s structured

The NICE Framework has evolved over time. Earlier versions of the framework organized cybersecurity work into seven categories and a number of Specialty Areas that detailed specific cybersecurity functions. For example, the Strategic Planning and Policy specialty listed under the Oversee and Govern category referred to the development of policies and plans, as well as the needed changes as the organization’s mission changed or when new initiatives required them.

The current framework structure is different. NICE Framework Components now include Work Role Categories, Work Roles, Competency Areas and Task, Knowledge and Skill statements. These components help describe the work to be done, the knowledge and skills needed to do that work and the relationships between roles and capabilities.

As of NICE Framework Components v2.2.0, the framework includes five Work Role Categories and 42 Work Roles, supported by Task, Knowledge and Skill statements. Because the components are maintained separately from SP 800-181 Rev. 1 and updated over time, users should refer to NIST’s Current Versions page for the latest component files.

Here’s what lies within the NICE Framework components today:

• Work Role Categories: High-level groupings of common cybersecurity functions.
• Work Roles: Groupings of work for which someone is responsible or accountable. Work Roles are not the same as job titles, since one job may include multiple Work Roles or only part of one Work Role.
• Task statements: Descriptions of the work to be done.
• Knowledge and Skill statements: Descriptions of what someone needs to know or be able to do to complete that work.
• Competency Areas: Clusters of related knowledge and skills that correlate with a learner’s capability to perform tasks in a particular domain.

The framework clearly defines relationships between categories of work, Work Roles and the Task, Knowledge and Skill statements needed for each. But how does a position fit the NICE Framework? The NICE Framework Mapping Tool helps by allowing users to answer questions about a cybersecurity-related position and see how that position aligns to the framework.

Who uses the NICE Framework and for what?

The NICE Framework serves as a fundamental reference for many audiences.

• Employers: The framework allows employers to better shape their workforce by identifying gaps in Work Roles, knowledge or skills. It can also help them write more focused and meaningful position descriptions that allow HR professionals to focus their hiring efforts, as well as provide better guidance to current employees on what is really expected from them in terms of knowledge and competencies to hone.

“The NICE Framework will allow employers to use focused, consistent language in professional development programs, in their use of industry certifications and academic credentials, and in their selection of relevant training opportunities for their workforce,” writes NIST Special Publication 800-181.

• Current and future cybersecurity workers: The framework can guide cybersecurity professionals at any stage of their careers to explore tasks and Work Roles and understand the knowledge and skills that are being valued by employers for in-demand cybersecurity positions. The NICE Framework’s common lexicon provides clear and consistent descriptions of the cybersecurity tasks and training that are needed for those Work Roles.

The document provides guidance for professionals looking for positions that better fit their current knowledge and experience and can provide an idea of progression for young practitioners just starting in the field.

• Academic advisors and staffing specialists: The framework can help support students and job seekers in designing their career paths toward a job in cybersecurity. It provides objective information that advisors can use in designing specific plans for their customers.
• Training and certification providers: The framework can help current and future members of the cybersecurity workforce gain and demonstrate the knowledge and skills needed to perform tasks in a Work Role.

NICE-related tools also include the NICCS Education and Training Catalog, which lists cybersecurity-related courses aligned with NICE Framework Work Roles and Competency Areas.

• Education providers: The framework can help develop curricula, courses, certificates or degree programs, seminars and research aligned to NICE Framework Work Roles, Competency Areas and Task, Knowledge and Skill statements.
• Technology providers: The framework can help identify cybersecurity Work Roles and the specific tasks, knowledge and skills associated with the services and hardware or software products they supply.

NIST and NICCS also maintain tools that help users explore and apply the framework, including the Cyber Career Pathways Tool and the NICE Framework Mapping Tool.

NICE Framework applied

The NICE Framework has evolved with further engagement between government, the private sector and academia to provide a common understanding of cybersecurity work.

CyberSeek is one example of how the framework can be applied. Its interactive tools help cybersecurity job seekers, employers, students, employees, policymakers, training providers and guidance counselors explore cybersecurity career pathways and workforce demand.

CyberSeek’s interactive map helps users view information about cybersecurity supply and demand by state or metro area. It also includes career pathway information, common job titles, salaries, online job openings, in-demand skills, education and certifications related to the field. Jobs are organized by NICE Framework Work Role Categories.

The U.S. Office of Personnel Management (OPM) has also worked with partners across government to support the categorization of cyber positions through coding aligned to the NICE Framework. This supports federal workforce planning by helping agencies identify positions that perform information technology, cybersecurity or other cyber-related functions.

As a result, agencies can better identify, recruit, assess and hire candidates with the cyber-related knowledge and skills needed for the work.

Conclusion

The NICE Framework gives employers, educators, training providers and cybersecurity professionals a common way to describe cybersecurity work. Its current structure is described in NIST SP 800-181 Rev. 1 and supported by separately maintained NICE Framework Components, including Work Role Categories, Work Roles, Competency Areas and Task, Knowledge and Skill statements.

Together, these resources help organizations define roles, identify capability gaps and align training to the work people actually perform. For organizations evaluating NICE-aligned training today, this background can help explain why the framework exists and how it shaped a more consistent way to describe cybersecurity work.