Proposal: A career path for federal cybersecurity pros
- By William Jackson
- Nov 10, 2011
Responding to the lack of a consistent definition for cybersecurity jobs and their skill sets, an interagency workforce education group has proposed a framework to help provide a path for professional development in government for this increasingly critical area.
“The absence of a common language to discuss and understand the work and skill requirements of cybersecurity professionals hinders our nation’s ability to baseline capabilities, identify skill gaps, develop cybersecurity talent in the current workforce, and prepare the pipeline of future talent,” according to the Cybersecurity Workforce Framework released for public comment.
The framework, created by the interagency National Initiative on Cybersecurity Education, organizes cybersecurity jobs into specific areas and includes the responsibilities and required skills for each.
Cybersecurity is a recent and rapidly developing specialty in government, which does not fit into the standard occupations, job titles, position descriptions, and federal job classification and grading systems managed by the Office of Personnel Management. This has made identifying, educating, recruiting and retaining this workforce a challenge for many agencies.
The demand for cybersecurity professionals is estimated to grow to 2.5 million new workers by 2015, and government will have to compete with the private sector for skilled workers. NICE, an interagency program coordinated by the National Institute of Standards and Technology, is an effort to increase cybersecurity awareness in general, promote education from primary grades through university level, and improve workforce development.
The framework provides a working taxonomy intended to fit into an organization’s existing occupational structure in both the public and private sectors. It is based on information gathered from federal agencies over two years of surveys and workshops by OPM, a Defense Department study of the cybersecurity workforce, and a study by the Federal CIO Council.
Jobs are organized into seven high-level categories, grouping together work and workers that share common functions. The categories, together with included specialty areas, are:
Securely provision, which includes the conceptualization, design and building of secure IT systems:
Operate and maintain
- Information assurance compliance.
- Software engineering.
- Enterprise architecture.
- Technology demonstration.
- Systems requirements planning.
- Testing and evaluation.
- Systems development.
, which includes the support, administration and maintenance needed to ensure performance and security:
Protect and defend
- Data administration.
- Information system security management.
- Knowledge management.
- Customer service and technical support.
- Network services.
- System administration.
- Systems security analysis.
, which includes identification, analysis and mitigation of threats:
- Computer network defense.
- Incident response.
- Computer network defense infrastructure support.
- Security program management.
- Vulnerability assessment and management.
security incidents, breaches and crimes:
Operate and collect
- Digital forensics.
cybersecurity information that could be used to develop intelligence:
- Collections operations.
- Cyber operations planning.
- Cyber operations.
Analyze, which includes the review and evaluation of incoming information to determine its usefulness for intelligence:
- Cyber threat analysis.
- Exploitation analysis.
- All source intelligence.
Support to others conducting cybersecurity work:
- Legal advice and advocacy.
- Strategic planning and policy development.
- Education and training.
Other framework documents available online provide more information on the job titles, tasks, knowledge and skills needed in each specialty area.
Comments on the framework are due by Dec. 16. Links to all of the framework documents as well as to a template for comments are available at http://csrc.nist.gov/nice/framework/
William Jackson is freelance writer and the author of the CyberEye blog.