Monday, January 02, 2017

NIST SP 800-181 NICE Cybersecurity Workforce Framework

Sometime around November 2, 2016 NIST, as part of the National Initiative for Cybersecurity Education (NICE) initiative, released SP 800-181 - The NICE Cybersecurity Workforce Framework. (comments are open until January 6, 2017).   It's an interesting document, at least what I have read given that it is 130 pages of bureaucratese coupled with some sort of education speak, designed to try and bring common role definitions to certain jobs, and associate tasks, knowledge skills and abilities with each of those roles.  Or as the authors put it:

The purpose of this publication is to provide a fundamental reference resource to support a workforce capable of meeting an organization’s cybersecurity needs by:
  • Providing organizations with a common, consistent lexicon that categorizes and describes cybersecurity work;
  • Organizing cybersecurity work into seven high-level Categories and over 50 Work Roles within those seven Categories;
  • Offering a superset of Tasks for each Work Role; and  
  • Offering a superset list of Knowledge, Skills, and Abilities (KSAs) for each work role
 In addition and effort is made to tie the 7 high level categories back to the Cybersecurity Framework Categories:
While the CSF and the NCWF were developed separately, each complements the other by describing a hierarchical approach to achieving cybersecurity goals.

After identifying a broad category where a particular need is present the organization is supposed to further break the position down by specialty area and work role then associate tasks, knowledge, skills and abilities with that role.






(obviously there are more than 3 of each - Tasks = 928, Knowledge areas = 614, Skills = 359 and Abilities = 119)

NIST has already identified a number of NCWF roles (approx. 50)


(and actually as I look at this again I am not clear on whether an organization under the NCWF is allowed to define their own work roles - I would assume they are but I am not absolutely sure)

OK so now we know how the process is supposed to work -  here are my concerns:

1.  This is too static.  Both in job roles, (which are never going to fly.  Every job I have ever worked has had an other duties as assigned clause and they always end up being a significant part of the work load.  So these are way too restrictive) and in the process it self.  In fact as far as the process goes an issue has already been identified in Section 4.1

Several work-related elements have been raised at various discussions and, while not currently integrated into the NCWF, are areas that are likely to be the subject of further research and guidance. The areas of further investigation are:
* System Security Engineering (SSE) – Many elements of systems security engineering (a specialty engineering discipline of systems engineering ) contribute to a
fully integrated, system-level perspective of cybersecurity. Additional research will be
conducted to ensure that the Tasks and KSAs described fully support the SSE lifecycle
described in Draft NIST Special Publication (SP) 800-160, Systems Security Engineering - Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems.
2.  I believe that the Knowledge areas, Skills, and Abilities are tied to the wrong item.  Currently they are tied to the work role:



I believe tasks should be tied to the work role and the knowledge skills and abilities should be tied to the task.  It might seem like a small thing but I believe in the long run it would make a program like this more manageable and since you can't complete the task without the knowledge skill and abilities it makes sense there too.

That's my $.02 on this.  I didn't see anyone else really discussing it so I thought I would throw something out there.





No comments: