The government is now attempting to calm down the chaos of its haphazard approach to building a cyber security workforce. It also understands it needs help.
The multiagency National Initiative for Cybersecurity Education (NICE), led by the National Institute of Standards and Technology, is working on a draft plan to standardize cyber security work throughout the government.
The NICE framework is a dictionary of cyber security work, divided into seven categories from operating networks to analyzing cyber threats. Together, those categories contain 31 job functions linked to more than 1,000 knowledge, skills and abilities.
“From driving educational programs in K-12 through training programs offered commercially, through cyber security competitions, this is our keystone,” said National Cybersecurity Education Strategy Director Peggy Maxson.
If successful, the framework could be the structure that gives everyone in and outside government a clear idea of what it means to be a cyber professional.
In 2009, President Barack Obama declared the cyber threat to be “one of the most serious economic and national security challenges we face as a nation.”
The problem is knowing the threat landscape, the government still doesn’t have a handle on who is defending its networks in cyberspace.
It’s hard for agencies to determine if their cyber security workforce is strong enough to meet their needs, according to a recent Government Accountability Office report.
It found agencies struggle to get a handle on how many cyber security workers they have, how much time those workers devote to computer and network protection and whether their positions align with federal guidelines.
“The most critical problem in establishing the cyber security professional workforce was, indeed, to first define what that is,” said Maxson. “We weren’t at a lack of definitions at the federal government. Every agency has their definitions.”
That is precisely the problem.
Agencies would be wise to use the framework to take inventory of their current workforce’s skills and identify gaps, said National Cybersecurity Workforce Structure Strategy Director Angie Curry. “We need to develop some best practices for workforce planning,” she said.