Back to the Basics: Announcing the New NICE Framework

Three years ago, NIST published the first version of Special Publication (SP) 800-181, the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. Since then, cybersecurity has changed. In the last year the way we think about how we do work has changed, too. Drastically. In order to keep pace with these changes and increase flexibility of the NICE Framework so that it meets the needs of multiple stakeholder groups across both public and private sectors, NIST announced in 2019 a year-long effort to review and update the NICE Framework. This effort has come to a close and we are happy to announce the release of NIST SP 800-181 Revision 1, the Workforce Framework for Cybersecurity (NICE Framework)!

We’ve taken a back-to-the-basics approach in this revision and really focused in on the building blocks of a workforce framework. Describing the foundations of a workforce framework presents a common language for organizations to use internally and with others. This flexible approach also allows organizations to tailor and implement the NICE Framework to their unique operating context.

The main building blocks of the NICE Framework are Tasks, Knowledge, and Skills, which each help describe two main concepts: “the work” and “the learner.” In Revision 1 of the NICE Framework, Ability statements have been absorbed by Skill statements, which focus on action by the learner. By describing both the “work” and the “learner,” the NICE Framework provides organizations a common language to describe their cybersecurity work. Furthermore, the NICE Framework provides an interoperable mechanism to communicate across organizations at a peer level, sector level, national level, or international level using the same building blocks.

Competencies, which existed in earlier versions of the NICE Framework, are also re-introduced in NIST SP 800-181 Revision 1. Competencies, a mechanism for organizations to assess learners, further describe the “learners” of cybersecurity work. Competencies allow students, current employees, and job seekers to succinctly communicate and effectively demonstrate that they have the requisite Knowledge and Skills to perform cybersecurity work.

Another major update you’ll find in this revision is that it has been streamlined to include only core, static content. This means only 12 pages of content! In environments that so quickly evolve, like cybersecurity does, informational content needs to be agile. Supplemental content such as lists of Competencies, Work Roles, Tasks, Knowledge, and Skill statements have been removed from the static publication so that they can be updated more frequently. A revision process is being developed for how updates to these supplemental materials will be done.

Now that the revised NICE Framework has been released, we are focusing efforts on the two-year activities of our update plans. Competencies, Work Roles, including Work Role groupings, Tasks, and Knowledge and Skill statements are undergoing a review through 2021. We invite you to remain engaged with the NICE Framework and its continual evolution. Stay tuned for more information on how you can get involved in community groups on the NICE Framework by visiting the NICE Framework Resource Center, subscribing to email updates from NICE, or following @NISTCyber on twitter.