An Overview of the NIST NICE Framework for Cyber Security Training

Originally launched in 2010, the National Initiative for Cybersecurity Education (NICE) framework underwent major revisions in November 0f 2020 – an exciting step forward to the benefit of students, teachers, and practitioners working in and around cybersecurity. This article lays out key concepts within the updated NICE framework, how to apply it to federal contract teams that support federal agency customers, and how it relates to other cybersecurity frameworks such as DoD’s 8570, RMF, and FedRAMP.

What is the NICE framework? Where did it come from?

NICE is a partnership between government, academia, and the private sector focused on cyber security training and workforce development. The NICE program office operates under the Applied Cybersecurity Division located in the Information Technology Laboratory at the National Institute of Standards and Technology (NIST). This partnership program is designed to capture and promote existing successes in cybersecurity education and learning as well as foster improvement and change where necessary and possible.

There are several notable government affiliates of the program, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) National Initiative for Cybersecurity Careers and Studies. Other affiliated programs include NICE Cybersecurity Workforce Framework (NIST Special Publication 800-181), the National Science Foundation’s Advanced Technological Education program, The National Security Agency’s National Centers of Excellence in Cybersecurity (CAE), The National Science Foundation’s CyberCorps Scholarship for Service, the National Security’s GenCyber program, the Office of Management and Budget (OMB), and the Office of Personnel Management’s Federal Cybersecurity Workforce Strategy. As such, the creation of the NICE Framework involved contributions from some of the nation’s top agencies with real interests in improving the cyber workforce.

What is the purpose of the NICE framework?

The NICE program seeks to achieve three major goals:

• Accelerate learning and skills development by inspiring urgency in public and private sectors.
• Nurture a diverse learning community by strengthening education and training through emphasizing learning, measuring outcomes, and diversifying the cybersecurity workforce.
• Guide career development and workforce planning by supporting employers in meeting market demands to enhance recruitment and hiring, as well as the development and retention of talent.

Its building block approach allows for tailored implementation within unique operational contexts while creating a common language that lowers the barrier to entry for a larger variety of diverse companies and agencies that seek to partner and operate/interoperate with one another.

Who was the NICE framework created for?

The development and publication of the NICE framework is targeted toward managers and leaders of many types of organizations, including public sector, private sector, non-profit organizations, training providers and curriculum developers, human resource departments, hiring managers, and all learners. The framework was developed to assist enterprise management with managing cybersecurity risks by providing a way to discuss the work and learning associated within cybersecurity.

The published NICE Framework can be used as a reference resource for anyone seeking to describe cybersecurity work conducted by their organization, the people carrying the work out, and ongoing learning necessary to complete the work effectively. This goal is facilitated by outlining Task, Knowledge, and Skill (TKS) building blocks that help incorporate agility, flexibility, interoperability, and modularity (as shown in Figure 1 below).

Figure 1: Task Knowledge Skill (TKS) Statement

How to use the building blocks in the NICE framework to create Task Statements

The NICE Framework recommends using Task Statements to describe how work is being done, followed by Knowledge Statements and Skill Statements to describe what’s required to perform the work.

• Task Statements should be easy to read and begin with the activity being executed. They should not contain an objective or purpose. Example: Troubleshoot system software.
• Knowledge Statements should describe foundational or specific knowledge and may support many different tasks. Task statements may require more than one knowledge statement to complete. Example: Knowledge of Cybersecurity vulnerabilities
• Skill Statements should describe straightforward or complex skills and, like knowledge statements, may support many different tasks, while a task may require more than one skill statement to complete. Example: Skill in generating a hypothesis as to how a threat actor circumvented an IDS.

An important thing to understand is that organizations may tailor the use of TKS statements to their unique context for implementation. These statements are examples only and may need to be adjusted depending on an organization’s specific tasks or work being performed and may need to include more or fewer knowledge and skill statements to complete a task. However, users of the framework should be cautious when modifying text within existing TKS statements in the NICE framework, as they’re designed for interoperability. Changing them instead of creating new TKS statements may cause misalignment when using external sources.

How to use competencies to build on TKS Statements

The next building block of the NICE Framework is a Competency. Competencies are a good way for organizations to assess learners. They should be defined through an employer-driven approach, focused on the learner, and both observable and measurable. A competency should offer flexibility by allowing an organization to group various TKS Statements into a category defining a broad need (see Figure 2 below). Individual tasks and associated knowledge and skill statements may not change, whereas a more broadly defined competency may introduce new tasks or individual knowledge and skill statements as needs shift.

Figure 2: Competency comprised of multiple TKS Statements

Competencies are often used in one of two ways, either by employers or training providers/academic advisors:

• Employers: Use competencies to define a position description as shown in Figure 3 below.

Figure 3: Use-case for competencies to define a Position Description

• Training providers or academic advisors: Use competencies to demonstrate that a learner has attained the knowledge and skill to align with that competency and use competencies to define a credential (certification or degree). This alignment is pictured in Figure 4 below.

Figure 4: Alternate use-case for competencies to define a credential

One last element of the NICE framework of building blocks to understand is that of the Work Role. A Work Role may be aligned to a job title, but can also be a job title that performs various work roles as part of a position. Work Role is really the top of the pyramid of the framework. A work role will consist of multiple Tasks and subsequent Task Statements, which are comprised of Knowledge Statements and Skill Statements as shown in Figure 5 below.

Figure 5: Work role, work, and the learner

The framework, by using consistent building blocks (knowledge, skills, tasks, etc.) was created to empower learners to develop a vision helping ensure that learning, growth, and development happens. Learners will develop their knowledge and skills into competencies to climb to the next level, allowing them to perform tasks as they do the work fulfilling a work role at the top of the framework pyramid. The purpose of this framework is to drive a consistent language to describe cybersecurity concepts and improve the development of a cybersecurity workforce that includes learners, educators, and employers within public and private sectors that will foster advancement of a cybersecurity workforce and innovation within that workforce for the benefit of both Federal agencies, and the nation’s citizens.

Why the NICE framework matters and how it helps organizations

As you read the first part of this article, you might think to yourself, “So David, why should I care about the NICE framework? My company already has a cybersecurity team and does a lot of work on federal contracts.” The answer starts with the purpose of the framework – to drive consistent language focused on workforce development. As a federal contractor, your workforce likely consists of people with a variety of degrees, backgrounds (military and otherwise), certifications, education, experience, and expertise. As your organization fulfills their contracts within the government, you will undoubtedly need to continually develop the cybersecurity skills and knowledge of your workforce to add value, improve performance ratings, remain competitive in the marketplace, and ultimately support the mission success of government customers.

The NICE framework has started to be adopted by many agencies in the federal government, and further touted by federal partners. NICE may still be somewhat new to many companies, but adoption is growing, as the framework was only initially released in 2017, and revised in late 2020, it’s still relatively young. However, it’s starting to show up in several RFPs, particularly ones with a cybersecurity component. Thus, it’s worth becoming educated on and having conversations with training providers on how their courses map to the NICE framework.

How specific courses and certifications align to the NICE framework

In 2017, 68% of surveyed employees felt there were too few cybersecurity personnel in the workforce. That number has only grown, with a more recent study highlighting that there are ~400,000 unfilled cybersecurity jobs in North America; and this number will only continue to grow in years to come. To help fill those jobs, and keep not only respective organizations safe, but the whole nation secure, having a unified vision for skills and knowledge development along with a shared language and framework in both public and private organizations, and to do so in partnership, can help facilitate a thoughtful response to this growing need.

As the lead agency bridging the gap between private and public sector partnerships, and recently given oversight and red-team authority over all other federal agencies when it comes to cybersecurity, CISA has put together some helpful resources on the NICE Framework. Namely, they’ve built the framework out into modular, usable categories. They’ve split the framework into 7 overarching categories, with 33 specialty areas, and 52 separate work roles. I’m not going to dive into every specialty area and work role but will list the 7 major categories. They are as follows:

• Analyze
• Collect and Operate
• Investigate
• Operate and Maintain
• Oversee and Govern
• Protect and Defend
• Securely Provision

On the website link above to CISA, there are also a number of related resources that allow you to review individual tasks, skills, knowledge, and the applicable work role they might apply to, as well as a search tool that allows you to search courses by location, and keywords. This will give you an idea of where a certification you have or a course you’ve taken may map to the NICE Framework. In fact, we’ve got a handy guide below that maps Beyond20’s courses to the NICE framework.

How the NICE framework relates to DoD 8570 security requirements

If you’ve been working in federal contracting for some time, you are likely aware of US Department of Defense Directive 8570, which has subsequently been rolled in under the larger initiative umbrella of Directive 8140, referred to as 8140/8570. 8570 creates a baseline certification requirement for all technical roles, including these key roles:

• Information Assurance Technical (IAT) – Levels 1-3
• Information Assurance Management (IAM) – Levels 1-3
• Information Assurance System Architecture and Engineering (IASAE) – Levels 1-3
• Cyber Security Service Provider (CSSP) – Analyst, Infrastructure Support, Incident Responder, Auditor, Manager

According to the DoD Cyber Workforce Framework (8140’s delivery on the directive for a DoD Cyber Workforce Framework), it leverages the original NICE Cybersecurity Workforce Framework or NCWF. There’s a direct relationship between 8140 and NICE, which means that each work-role under 8570 will map to one or more of the NICE Framework categories. This is done by assigning each title listed above with specific work roles and their relevant TKS statements and subsequent KSs. This mapping is available at a high level by going to the DoD Cyber Exchange Public site and clicking through their mapping of the NICE categories to see possible job titles or work roles mapped to the DoD Cyber Workforce Framework.

How the NICE framework relates to FedRAMP

The Risk Management Framework (NIST SP 800-37r2) provides guidelines for applying the RMF to information systems and organizations for managing security and privacy risks. Within these guidelines a number of roles are described, with responsibilities to perform or oversee specific tasks. While not directly tied to the NICE Framework, the roles and tasks described within RMF do share alignment with the roles and tasks defined within the NICE Framework. The RMF also proscribes the application of the controls detailed within NIST SP 800-53

The Federal Risk and Authorization Management Program (FedRAMP) exists to provide a cost-effective risk-based approach for the adoption and use of cloud services by the government. They promote this by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies.

FedRAMP is in essence a program designed to streamline and standardize security and privacy requirements of federal agencies engaging in partnership with private business for technology services. FedRAMP incorporates an “assess and authorize” process identical to those described in the RMF, and ultimately conduct the full RMF lifecycle resulting in an Authorization to Operate (or a rejection) for the product or service provider being assessed. These assessments will validate compliance with controls detailed within NIST SP 800-53 as an assessment for RMF compliance would do.

So while the NICE framework is not explicitly reflected or called out within RMF or FedRAMP, it is implicitly shown in the standardized language and application of Work Roles, and the Tasks, Knowledge, and Skills within those work roles.

How the NICE framework and DoD 8570 map to Beyond20 courses

Beyond20 serves in a unique position of interest here, serving as both a training provider, and federal contractor with the US DoD. Our training offerings are available on our website, where you can sign up for more information. We’ve mapped our courses to DoD 8570 as well as the NICE framework here.