Proposal: A career path for federal cybersecurity pros

Responding to the lack of a consistent definition for cybersecurity jobs and their skill sets, an interagency workforce education group has proposed a framework to help provide a path for professional development in government for this increasingly critical area.

“The absence of a common language to discuss and understand the work and skill requirements of cybersecurity professionals hinders our nation’s ability to baseline capabilities, identify skill gaps, develop cybersecurity talent in the current workforce, and prepare the pipeline of future talent,” according to the Cybersecurity Workforce Framework released for public comment.

The framework, created by the interagency National Initiative on Cybersecurity Education, organizes cybersecurity jobs into specific areas and includes the responsibilities and required skills for each.

Cybersecurity is a recent and rapidly developing specialty in government, which does not fit into the standard occupations, job titles, position descriptions, and federal job classification and grading systems managed by the Office of Personnel Management. This has made identifying, educating, recruiting and retaining this workforce a challenge for many agencies.

The demand for cybersecurity professionals is estimated to grow to 2.5 million new workers by 2015, and government will have to compete with the private sector for skilled workers. NICE, an interagency program coordinated by the National Institute of Standards and Technology, is an effort to increase cybersecurity awareness in general, promote education from primary grades through university level, and improve workforce development.

The framework provides a working taxonomy intended to fit into an organization’s existing occupational structure in both the public and private sectors. It is based on information gathered from federal agencies over two years of surveys and workshops by OPM, a Defense Department study of the cybersecurity workforce, and a study by the Federal CIO Council.

Jobs are organized into seven high-level categories, grouping together work and workers that share common functions. The categories, together with included specialty areas, are:

Securely provision, which includes the conceptualization, design and building of secure IT systems:

  • Information assurance compliance.
  • Software engineering.
  • Enterprise architecture.
  • Technology demonstration.
  • Systems requirements planning.
  • Testing and evaluation.
  • Systems development.
Operate and maintain, which includes the support, administration and maintenance needed to ensure performance and security:
  • Data administration.
  • Information system security management.
  • Knowledge management.
  • Customer service and technical support.
  • Network services.
  • System administration.
  • Systems security analysis.
Protect and defend, which includes identification, analysis and mitigation of threats:
  • Computer network defense.
  • Incident response.
  • Computer network defense infrastructure support.
  • Security program management.
  • Vulnerability assessment and management.
Investigate security incidents, breaches and crimes:
  • Investigation.
  • Digital forensics.
Operate and collect cybersecurity information that could be used to develop intelligence:
  • Collections operations.
  • Cyber operations planning.
  • Cyber operations.

Analyze, which includes the review and evaluation of incoming information to determine its usefulness for intelligence:

  • Cyber threat analysis.
  • Exploitation analysis.
  • All source intelligence.
  • Targets.

Support to others conducting cybersecurity work:

  • Legal advice and advocacy.
  • Strategic planning and policy development.
  • Education and training.
Other framework documents available online provide more information on the job titles, tasks, knowledge and skills needed in each specialty area.

Comments on the framework are due by Dec. 16. Links to all of the framework documents as well as to a template for comments are available at http://csrc.nist.gov/nice/framework/.


Reader comments

Tue, Nov 15, 2011 Reality Check

Hey SOTE Contractor! Did you ever think that maybe the reason you can't get hired on as a Federal Employee is that massive chip you have on your shoulder?

Mon, Nov 14, 2011 SOTE Contractor Federal Agency

I have been doing this work for the Federal Government for 35 years but I am unworthy of being hired as a Fed because I haven't been a Fed (no matter what Federal work was being done) before. Being a Fed makes you better than any scum-of-the-earth contractor.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above