NIST draft cyber framework spotlights workforce woes

When the National Institute of Standards and Technology released a new draft cybersecurity framework on Oct. 22, it fleshed out some parts of the August version that came before it, while still leaving other questions unanswered.

Perhaps the most noticeable update, however, is the addition of the cybersecurity workforce as an area for improvement. While it is not a surprise to see the workforce incorporated as part of a holistic approach to cybersecurity, the inclusion in the draft framework underscores the broader government- and industry-wide concerns.

It is more than just filling the seats at the network controls – the cybersecurity workforce the framework references, boosted by input from industry and government – encompasses a deeper understanding of cyber risks and how they affect a specific sector, organization, department or system.

"The workforce was a common point as we analyzed responses" to NIST requests for information and public workshops related to the framework development, said Kevin Stine, manager of the security outreach and integration group at NIST's IT laboratory computer division group. "It's generally known there is a shortage of cybersecurity experts, and what we observed and heard through the RFI process was that there's even more of a shortage with the understanding of critical infrastructure challenges that exist today. Through the RFI response process and analysis, we've identified several common points highlighting needs in the workforce."

The NIST side of the workforce coin has less to do with the overall shortage of cyber pros, and more to do with the very specific requirements in critical infrastructure and its distinct threats, technology and landscapes – and the evolving practices that must keep up with that, which the framework aims to help do.

"It's about understanding what the current needs are, understanding what the future needs will be based on the environment and mission space, and then being able to identify and develop resources to help not only understand those needs but begin to fill the workforce gaps -- hiring, acquisition, training resources," Stine said.

The workforce target fits in with broader NIST initiatives as well as those within other parts of the federal government, including the Homeland Security Department.

Throughout the process, "we heard from stakeholders about the need for a workforce that considers cybersecurity from the business aspect, the legal aspect, the technical aspect – there's still a great need there, and the federal government has started to recognize that with programs like the National Initiative for Cybersecurity Education," which NIST leads with the help of other federal agencies, said Donna Dodson, NIST deputy cybersecurity adviser. Dodson spoke Oct. 25 as part of a U.S. Telecom event in Washington.

Those efforts have launched "to make sure we do have a workforce that understands, is aware and has the tools and skills that we need to be able to ensure the cybersecurity concepts discussed in the framework, that risk-management approach, is something that people understand as they're building next-generation capabilities," Dodson said. "So really we see that there is a great need for that kind of expertise and talent throughout the nation, and therefore we've reflected that in the framework as something that needs to be addressed."