Federal scientists Wednesday published a draft “dictionary” aiming to help businesses figure out whom they should hire, with the guide describing every kind of cybersecurity job and cataloging the knowledge and skills needed to do them well.
The draft framework says it aims to provide American companies with a “common, consistent lexicon to categorize and describe cybersecurity work.” Additionally, it will be used by every federal agency to catalog the U.S. government’s own cyber workforce by the end of next year.
The framework is a project of the National Institute for Standards and Technology-led National Initiative for Cybersecurity Education, and was rolled out at NICE’s annual conference in Kansas this week.
At the heart of the framework are 51 “Work roles” — or more succinctly, jobs.
In a statement, NIST said that in a “nascent and rapidly developing field … job titles and role descriptions vary from organization to organization and sector to sector.”
From SP-RM-001, “authorizing official,” to IN-FO-002, “cyber defense forensics analyst,” and including SP-ARC-002 “security architect” and OV-ED-001 “cyber instructional curriculum developer,” the work roles cover every conceivable aspect of cybersecurity.
Each job is comprised of a number of tasks — nearly 1000 of which are catalogued in the framework. From T0010 “Analyze organization’s cyber defense policies and configurations and evaluate compliance with regulations and organizational directives,” to T0928 “Collaborate with key stakeholders to establish a cybersecurity risk management program.”
Each work-role/job also requires a set of knowledge, skills and abilities — and the framework catalogues nearly 100 abilities, more than 300 skills and almost 600 items of knowledge.
The framework lays out seven high-level categories of activity, each breaking down into multiple “speciality areas,”which total than 30.
The seven categories are:
- Securely Provision — Designing and building secure IT systems;
- Operate and Maintain — Providing the support, administration, and maintenance to IT systems;
- Oversee and Govern — Providing “leadership, management, direction, or development and advocacy” for cybersecurity;
- Protect and Defend — Identifying, analyzing, and mitigating threats;
- Analyze — Review and evaluate incoming cybersecurity information;
- Collect and Operate — denial and deception operations and collection of cybersecurity information;
- Investigate — Investigating cybersecurity events or crimes and collecting digital evidence;
The framework, which NIST says “is the culmination of many years of collaboration between industry, government and academia,” comes comes the day after the launch of workforce mapping tool.
The Pentagon and the Department of Homeland Security “were significant contributors,” NIST said.
The guide is open for public comment until Jan. 6.