NICE 2019-20 Winter eNewsletter

| Featured Article | NICE Framework in Focus | Academic Spotlight | Industry Spotlight | Government Spotlight | Affiliated Program Updates | Funded Project Updates | NICE Working Group Updates | Key Dates |

Subscribe to the NICE eNewsletter

---

In November of 2019, NICE announced that it will plan to review and update the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. NICE is planning a comprehensive review during 2020 to improve the NICE Framework to meet national (and international) needs for a skilled cybersecurity workforce. This eNewsletter is a special themed edition with articles that focus on applications and uses of the NICE Framework from Academia, Industry, and Government. The Feature Article describes in further detail our plans for reviewing and updating the NICE Framework, including an appeal for you to respond to our Request For Comments. We are also partnering with the National CyberWatch Center on a Special Issue of the Cybersecurity Skills Journal on the NICE Framework so be sure to check out the Call for Abstracts. You can stay informed with updates by visiting the new NICE Framework Resource Center and look for further announcements at the NICE Conference and Expo in Atlanta, Georgia, on November 16-18, 2020.

Rodney Petersen
Director, National Initiative for Cybersecurity Education (NICE)

---

Featured Article

NICE FRAMEWORK REVIEW AND UPDATE PROCESS

By Lisa Dorr, Office of the Chief Human Capital Officer, U.S. Department of Homeland Security; Pam Frugoli, Employment and Training Administration, U.S. Department of Labor; Matt Isnor, Office of the Chief Information Officer U.S. Department of Defense; Bill Newhouse, National Institute of Standards and Technology, U.S. Department of Commerce; and Ben Scribner, Cybersecurity and Infrastructure Security Agency, U.S. Department of Homeland Security

The National Initiative for Cybersecurity Education (NICE), led by the National Institute of Standards and Technology (NIST), is planning to update the NICE Cybersecurity Workforce Framework (NICE Framework), NIST Special Publication 800-181. The public was invited to provide related input by January 13, 2020. 

The NICE Framework of Yesterday and Today

The first version of the NICE Framework was published in 2012. It was designed to create a common language for categorizing and describing cybersecurity work and offer our nation a tool for baselining capabilities, identifying skill gaps, and ensuring a robust cybersecurity talent pipeline. The NICE Framework has become a nationally-focused standard for cybersecurity employers, practitioners, educators, training providers, and learners across public, private, and academic sectors. It is also used internationally as a reference resource.

The first two versions (2012 and 2014) described cybersecurity work through a taxonomy of cybersecurity work categories and specialty areas. The most recent version was published in August 2017 as a NIST Special Publication, 800-181. As figure 1 illustrates, this version expanded the original lexicon to include a refined taxonomy of cybersecurity work categories, specialty areas, and now – roles.

It was also the first version to include details on the “Collect and Operate” and “Analyze” work categories and related knowledge, skills, abilities, and tasks (earlier versions redacted information on these categories due to their highly specialized, and sensitive nature). This offered learners deeper insights into the nature of this work and enabled educators and training providers to prepare workers in these areas.

Today’s NICE Framework is the first version to include details on the “Collect and Operate” and “Analyze” work categories and related knowledge, skills, abilities, and tasks (earlier versions redacted information on these categories due to their highly specialized, and sensitive nature). This offered learners deeper insights into the nature of this work and enabled educators and training providers to prepare workers in these areas.

The NICE Framework of Tomorrow 

The NICE Framework will continue to evolve with the needs of the communities that it can serve. 

Cyberseek™ documents over 500,000 openings for cybersecurity-related jobs. The NICE Framework of tomorrow should support the development of cybersecurity skills needed by our nation’s workforce and become a reference to our employers, training providers, and educational institutions as they seek new ways to get learners to become the cybersecurity skilled employees they need.

Advances in technology in areas such as Artificial Intelligence, Quantum Information Sciences, and 5G implementation will ask people to demonstrate new cybersecurity skills and perform new tasks. These new things should be identified and documented in the NICE Framework to keep it relevant to today’s work to reduce cybersecurity risk and prepare our workforce to confidently navigate in cyberspace.

Changes to the NICE Framework can be framed by lessons learned by those who use and apply it. Workforce Planners, educators, training providers, employers, and learners may bring forth frame needs for additional NICE Framework components and/or informative references.

Many businesses have and will continue to experience financial and reputational damage from both novel and well-known threats and vulnerabilities.  Federal and other government organizations will continue to experience cyber-attacks or threats, resulting in data loss and service disruptions. If recent events have taught us anything, it is that impacts of cybersecurity implementation gaps, vulnerabilities being exploited, and cybersecurity risk management are no longer the sole responsibility of information technology organizations, such as the Office of the Chief Information Officer. 

Increasingly, organizations have adopted the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) to guide their cybersecurity activities and manage associated cyber risk. The NICE Framework can support users of the CSF by connecting descriptions of related work, work roles, and requisite knowledge, skills, abilities, and tasks to CSF features.

Moving Forward

NICE is leading an effort to dynamically maintain the NICE Framework’s relevancy, applicability, and utility while improving its ongoing alignment with related standards, guidelines, and other frameworks. Keeping the NICE Framework relevant is vital to prepare our nation’s workforce for increasingly complex cybersecurity challenges.

When we actively engage the private and public sectors on standards like the NICE Framework, we rely on and use experts from around the country – and around the globe - to improve the quality, relevance, and likely use of the end-product. NICE Framework updates will happen in cooperation with the private sector and other government agencies via transparent, open, and collaborative processes.

---

NICE Framework in Focus

A profile of a cybersecurity practitioner to illustrate application of the NICE Cybersecurity Workforce Framework categories, specialty areas, and work roles.

Name: Gregory L Bird

Title: Mission Systems Branch Chief

Organization: U.S. Department of Homeland Security (DHS), Cybersecurity & Infrastructure Security Agency (CISA), Infrastructure Security Division

Work Roles: Systems Requirements Planner, IT Project Manager, and Product Support Manager

Academic Degrees: B.S., Management of Information Systems: Information Assurance, Minor Information Security, Liberty University; B.S., Management of Information Systems: Data Networking, Minor Information Systems, Liberty University; M.S. Cybersecurity, Liberty University

Certifications: (ISC)2 CISSP, ISSEP, ISSMP; CompTIA Security+, Network+; Cisco CCNP Routing & Switching, Security, Service Provider, CCDP; ITILv3 Foundations & Intermediate

Q: Can you explain your roles and responsibilities as the Mission Systems Branch Chief at CISA? 

A: My role as Branch Chief traverses a broad range of different areas and responsibilities. The core of my duties entails overseeing the personnel supporting the planning, development, operations and maintenance of the IT systems, supporting CISA’s role in the protection of the Nations critical infrastructure.  

Q: Focusing on the NICE Cybersecurity Workforce Framework how do you use it both to guide your own career or how could you envision using it as a hiring manager in your organization? 

A: I regularly utilize it as a supplement that lays out all of the specialty areas, work roles as aligning knowledge, skills, abilities, and tasks for working with my agencies retention program as well as creating, updating position descriptions, and hiring justifications and when I’m crafting employee’s performance plans. I also regularly leverage the Framework outright when planning the capability requirements for not only the recruitment of employees but for general mentorship and guidance of my employees and mentees. 

To listen to the full audio interview with Gregory L Bird, Mission Systems Branch Chief, DHA CISA, click on the audio below.

Audio file

Download a transcript of the interview

---

Academic Spotlight

HELPING STUDENTS MAP A CAREER IN CYBERSECURITY USING THE NICE FRAMEWORK 
By Valarie (Vicki) McLain, Computer Information Systems Instructor and Director for the Center for Cybersecurity, Lake Superior College

Have you ever looked at the NICE Cybersecurity Workforce Framework (NICE Framework) and wondered, “What is this? How am I going to utilize this in my class?” If so, you’re not alone!

Many people are aware that hundreds of thousands of cybersecurity positions in the U.S. are currently unfilled. However, very few people know how broad and varied the field of cybersecurity is and how to construct a workforce that meets their mission goals.

One of the biggest challenges has been the lack of consistency in the way “cybersecurity” is defined. Job descriptions and titles for the same job roles vary from employer to employer. This makes it harder for students to understand the requirements for job options and for academia at all levels to prepare students for cybersecurity-related jobs.

Enter the NICE Framework

Educators work with a multitude of content standards and frameworks. The NICE Framework, NIST Special Publication 800-181, is a nationally focused resource that categorizes and describes cybersecurity work. It is not intended to be used as a standalone framework for developing content or a full cybersecurity program. Rather, the NICE Framework is designed to be paired with other frameworks or standards. It is meant to be customized rather than be used as a process or content checklist. The NICE Framework is comprised of the following components:

• Categories (7) – A high-level grouping of common cybersecurity functions.
• Specialty Areas (33) – Distinct areas of cybersecurity work.
• Work Roles (52) – The most detailed groupings of cybersecurity work comprised of specific knowledge, skills, and abilities required to perform tasks in a work role.

As a reference tool, it helps describe the interdisciplinary nature of cybersecurity and leveraging it can help educators develop content for different skillsets needed for a successful cybersecurity program and career.

But Where Do I Start?

Frameworks are a supportive structure to help educators plan and develop their own curricula. They are comprised of a set of interlocking components that recommend what students should know, value, and be able to do at various stages of their education. Frameworks give educators flexibility and ownership to plan and develop alternative curriculum modes to meet their varied needs. The same is true of the NICE Framework.

Specifically, education providers can use the NICE Framework as a reference to develop curriculum, courses, seminars, and research that cover the knowledge, skills, and abilities (KSA) required to perform tasks in a work role.

An Example: The Cybersecurity Workforce Project

Lake Superior College (LSC) was the recipient of a Cybersecurity Workforce Education grant from the National Security Agency. For the grant, LSC designed and implemented six business pods to function as individual businesses from different industry sectors: transportation, finance, education, government, healthcare, and manufacturing. Students “work” in various businesses to complete normal daily activities for the type of business assigned. 

Through the Computer Support Interview Project assignment, students are assigned to a “workplace” and are provided a list of available jobs based on the work roles from the NICE Framework. First, students are asked to write a job description based on the NICE Framework KSA’s descriptors.

Next, students generate a resume that shows their knowledge, skills, and abilities that would make them qualified for the job. Finally, classmates interview each other for a job in a particular sector. Emphasis is placed on alignment between the job description and KSA’s found in the applicant’s resume and through the interview.

For each business, student teams are responsible for running their network, troubleshooting, writing and implementing policies, and following typical business regulations. Each business also maintains a website. The student businesses are eventually “hacked” by previous students knowledgeable in cyber-attacks. Students working in the businesses must provide mitigation plans for response and recovery. The entire system has been primarily installed and configured by students.

The importance of building a cybersecurity workforce is known by all. However, people starting out in the cybersecurity workforce do not know where to go for help in understanding the domain. Providing students with a reference like the NICE Framework will help them construct a pathway to their future career. There are many different resources to consult, and possible career directions in cybersecurity. It really helps to start with a map like the NICE Framework which can help students navigate their career pathway.

Learn more about the Cybersecurity Workforce Project Assignment at Lake Superior College.

---

Industry Spotlight

GROWING IBM’S CYBERSECURITY WORKFORCE BY REVISING JOB DESCRIPTIONS WITH THE NICE FRAMEWORK & NEW COLLAR PRINCIPLES
By Tommy Wenzlau, Talent Leader New Collar Initiatives, IBM

The cybersecurity skills gap is real and growing. CyberSeek data shows an estimated 500,000 unfilled cybersecurity roles in the United States. How will we begin to close that gap if we don’t start thinking – and acting – differently about how we identify and develop talent?

After IBM’s partnership with the Aspen Institute Cybersecurity group resulted in an actionable white paper, “Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce,” we wanted to ensure we were continuing to do our part in bringing these principles and tactics to life.

Eight key principles and recommendations were outlined for consideration. Alone, no single recommendation will close the gap. Employers will need to build multi-faceted talent strategies to revitalize their hiring, training, and employee development to solve this at scale. 

A great place for companies to start building this new talent strategy is with the second principle: “Revitalize job postings to be engaging and to focus on the core requirements; don’t “over-spec” the requirements.” 

Job postings tend to show that cybersecurity roles often require more experience, education, and certifications than IT roles. Did you know that 84 percent of postings studied required a bachelor’s degree and 83 percent required at least three years of experience?  

There are many roles across the spectrum of cybersecurity practitioners: engineers, scientists, developers, operators, and defenders. However, many companies don’t specify clear tasks and corresponding knowledge, skills, and abilities (KSAs). Not all roles require the same amount of education and training, though jobs are posted as if they do.

At IBM, we want to ensure that we’re providing clear position descriptions, focused on the knowledge, skills, and abilities (KSAs) necessary to complete tasks. We also provide a holistic view of what’s needed for a position, not just a laundry list of all the desired certifications.  

“Soft skills such as communication, critical thinking, and teamwork are just as crucial as technical skills,” said Kelli Jordan, director of skills and talent. “It’s about shifting mindsets and prioritizing capability over a credential. Employers should consider redesigning job roles with a focus on diverse skills required to complete the job today and in the future.” 

We undertook a three-week project sprint to improve our cybersecurity job postings. The Talent Acquisition team identified five job profiles where they had large recruiting needs and challenges finding the right candidates.

Once we locked on the roles, we first took our old position descriptions and matched the IBM-specific terminology with data from the NICE Framework. Where applicable, we went with the NICE Framework terminology to help candidates understand what we were looking for in an industry-standard way. This provided us with a foundation of key skills, tasks, and activities aligned specifically to each role.  

We crafted more engaging descriptions focused on the general IBM experience and put a candidate-centric spin on the job description using personalization and words like “you” and “your” instead of “the incumbent.”

Next, we leveraged a tool called Textio to augment our writing and assess overall tone. This helped us understand if our job descriptions were inclusive or potentially unwelcoming. We know that women are severely under-represented in cybersecurity, with representation at only 11 percent -- compared to 26 percent of the workforce in general IT – so we wanted our descriptions to encourage a diverse population of candidates to apply.

Lastly, we employed our New Collar philosophy to our postings by removing degree requirements from job postings whenever they were truly not required. 

“Countless cybersecurity jobs can be filled by ‘new collar’ workers, those that may not have a traditional college or university degree, but they have the necessary technical skills and aptitudes,” said Jordan. “The right skills for jobs like penetration testers, security operations center analysts, technical writers and security awareness trainers can be achieved through modern vocational training, innovative programs like coding camps, 21st century apprenticeships, or professional certification programs.”  

Post-pilot, we saw significant benefit from this work. These changes yielded an overall increase in the number of applicants for these positions and increased the diversity in our pipeline. It gave us access to talent that previously was not applying to our positions. 

“My technical background comes from my military training in the United States Navy. My time serving has given me the people skills, foundational understanding, and work ethic to succeed as a cybersecurity apprentice. It’s so important to be ready and willing to learn more and more every day.” – IBM cybersecurity apprentice graduate.

Given these outcomes, we applied this new model to all the open postings for our Security business unit in the United States and followed shortly thereafter with our global openings. To date, we’ve seen a continued significant increase in the diversity of our applicants and have hired double the percentage of New Collar hires. Our aperture has opened, and we’ve started bringing in new sources of talent by thinking differently about the requirements for a job.  

---

Government Spotlight

USING THE NICE FRAMEWORK TO ASSESS THE FEDERAL CYBERSECURITY WORKFORCE
This story was compiled from a contribution by Anthony Marucci, Director of Communications, Office of Personnel Management

The Federal Cybersecurity Workforce Assessment Act (FCWAA) of 2015 started a process whereby the federal government was required to use the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework) to conduct a federal cybersecurity workforce assessment. Specifically, it required the heads of federal departments and agencies to conduct a “National Cybersecurity Workforce Measurement Initiative” to:

1. identify all positions within the agency that require the performance of information technology, cybersecurity, or other cyber-related functions; and 
2. assign the corresponding employment code” [that corresponded to the NICE Framework].  

Following that initiative, the Congress directed agencies to “identify information technology, cybersecurity, or other cyber-related roles of critical need in the agency’s workforce” and to repeat that process on an annual basis through 2022.

In August of 2016, the Office of Personnel Management (OPM) issued a Memo to federal departments and agencies detailing the “Requirements of the Federal Cybersecurity Workforce Assessment Act”, and in December of 2017, OPM issued another Memo to describe “Next Steps in Implementing the Federal Cybersecurity Workforce Assessment Act”. The Requirements and Timelines were also summarized as follows:

• January 2017: OPM issued guidance on assigning new cybersecurity codes that aligned to the NICE Framework
• April 2018: Agencies review position and assign cybersecurity codes
• April 2019 through 2022: Agencies determine and report their cybersecurity work roles of Critical Need and develop and implement plans for how they will mitigate skill gaps

Using the NICE Framework to “Inventory Your Cybersecurity Workforce”, “Determine Any Gaps”, and “Address the Gaps” was recognized as a methodology to reduce cybersecurity risk in the ”Cybersecurity Workforce Development Toolkit: How to Build a Strong Cybersecurity Workforce” (updated November 2016) developed by the U.S. Department of Homeland Security. Now that the federal government has completed the first round of its federal cybersecurity workforce assessment, we wanted to share with the community the outcome of that assessment and lessons learned through an interview between the National Initiative for Cybersecurity Education (NICE) and the Office of Personnel Management (OPM):

NICE: What are the top work roles of the current federal government? 

OPM: The most common cybersecurity work roles as identified by the agencies through the NICE Framework 3 digit codes are Technical Support Specialist, Cyber Crime Investigator, System Administrator, Software Developer, Program Manager, IT Project Manager, and Network Operations Specialist.

NICE: What are the top personnel classifications reported for all cybersecurity work roles?

OPM: The top occupations that were the most coded with the 3 digit codes were the IT Specialist (GS-2210), Criminal Investigator (GS-1811), Computer Science (GS-1550), Intelligence (GS-0132), and Electronics Engineer (GS-0855). It should also be noted that over 250 occupations were coded as doing some type of cybersecurity work.

NICE: What are the top work roles of critical need?

OPM: The top work roles of critical need are Cyber Crime Investigator, System Security Analyst, System Administrator, and Network Operations Specialist.

NICE: What do the results of this assessment mean to employers in the federal sector, education and training providers, and job seekers?

OPM: The results allow agencies to pinpoint where they should focus resources in order to close specific critical gaps in their cybersecurity workforce. The steps to close gaps aim to improve hiring tools and processes, expand recruitment and outreach efforts, increase use of hiring flexibilities, and enhance training and employee development. Agencies are also more cognizant of the NICE Framework and its work role definitions as they develop job announcements to attract external applicants. Having a standardized understanding and lexicon of the cybersecurity work helps to bridge the gap between current job seekers and Federal job opportunities. Likewise, this data will assist educators and training providers in understanding how they can support agencies in mitigating these gaps. Curriculum can be developed to specifically address the work roles that were identified by the agencies. The agencies can partner with educators and training providers to implement a multi-faceted strategy that integrates formal training and education with other types of developmental opportunities such as rotational assignments.

NICE: What are the lessons learned from departments and agencies conducting this first cybersecurity workforce assessment? 

OPM: There were some “common root causes of shortages” that were identified, including 1) lack of recruitment or outreach:  not attracting enough highly qualified applications; 2) lack of training and development:  not developing needed skills through training and certifications; 3) ineffective hiring:  highly qualified candidates not referred, slow hiring process, or little understanding of the competencies or experience needed for work roles of critical need; 4) lack of budget or resources: constrained budget or resources, competing budget and hiring priorities, significant gaps between requested versus authorized positions, staffing and skills gaps identified after budgets were set, no funds for training staff that could transition into work roles of critical need, and budget priority is in mission areas and not IT positions; and 5) non-competitive pay with private sector:  higher pay needed to attract and retain employees.  

NICE: What advice would they give to other employers wanting to conduct a similar assessment? 

OPM: One of the big lessons learned was the importance of accuracy in identifying positions with specific work roles not just those located in the Office of the CIO or not just Information Technology Specialists. Agencies are finding that many other offices and positions have responsibility for cybersecurity throughout the agency. By properly coding the work roles agencies are able to quickly determine where vulnerabilities may occur. Agencies also found that it was important to identify the true root cause that was causing the critical need. In order to mitigate the gap they must know the true cause to develop a strategy that will successfully address the problem.

---

Affiliated Program Updates

Various organizations within the U.S. government own and operate programs designed to enhance the cybersecurity education, training, and workforce development needs of the nation. The following are a few of those programs. 

Advanced Technological Education Program

Special Issue of Cybersecurity Skills Journal: Practice and Research on the NICE Cybersecurity Workforce Framework

The NICE Framework was published as NIST Special Publication 800-181 in August 2017. NICE intends to review and update the NICE Framework during 2020. Therefore, the Cybersecurity Skills Journal is seeking manuscript ideas and drafts that examine the usefulness, benefits, and challenges associated with the adoption, adaptation, or extension of the NICE Framework in cybersecurity practice, to improve learning and advance the state of cybersecurity capability maturity. Authors are invited to submit a paper proposal or draft manuscript abstract that conforms to the structured abstract format specified in the Cybersecurity Skills Journal Author Guidelines.

Submitted abstracts may address any aspect of the NICE Framework, though emphasis should be placed on empirical support for effective awareness, application, and impact of the NICE Framework in enhancing the cybersecurity capability maturity of the entrant, extant, or future workforce. Prospective authors are encouraged to review the anticipated usage and extensions of the NICE Framework documented on pages 2-4 and 7-10 of the NIST Special Publication 800-181.
For additional information, visit http://csj.nationalcyberwatch.org.

Learn more here.

Session on Governance, Risk Management, and Compliance at Western Academy Support and Training Center (WASTC) 2020 Winter ICT Educators Conference

Introducing governance, risk management, and compliance fundamentals into existing courses is the topic of a breakout session National Cybersecurity Training & Education (NCyTE) Center is offering at the WASTC Winter ICT Educators Conference in San Jose on January 7, 2020. Feedback from business and industry indicates that cybersecurity graduates need these basic principles to be prepared for today’s workforce. Register for the workshop or conference at https://www.wastc.org/events/2020/1/6/wastc-2020-ict-educators-conference.

C3P Recipients to Attend CyberCorps®: Scholarship for Service 2020 Job Fair

Through the Community College Cyber Pilot (C3P) program, cyber scholars from Whatcom Community College, Anne Arundel Community College, Clark State Community College, and Oklahoma City Community College will attend a 2020 CyberCorps®: Scholarship for Service (SFS) Job Fair in Washington, DC, on January 13-14, 2020. These students in community college programs are recipients of Scholarship for Service awards available to a select number of students who hold a bachelor’s degree or are a military veteran. Federal agencies from across the nation will be on hand to interview students for internships and employment.

National Centers of Academic Excellence (CAE) in Cybersecurity 

New CAE Application Workshops Presented by NCyTE Center

Changes to the requirements for the Center of Academic Excellence (CAE) designation have fueled the need for new workshops to inform and coach applicants through the new process. The National Cybersecurity Training & Education (NCyTE) Center presented a full day of training at Coastline Community College on December 11, and another workshop is scheduled for February 14, 2020. San Antonio College will host the February workshop, which will also include an overview of the National Science Foundation-funded Scholarship for Service grant program available to CAE-designated Community Colleges. A limited number of travel stipends are available for qualified participants. Visit http://www.ncyte.net to register.

Recognition Ceremony for CAE Recipients at NICE Conference

The National Cybersecurity Training & Education (NCyTE) Center hosted a celebration of the designation of over 50 colleges as Centers of Academic Excellence in Cyber Defense at the NICE Conference on November 20, 2019. A representative from each college received a CAE challenge coin to commemorate its efforts. Mentors who successfully assisted five or more institutions in reaching the designation were also recognized. Michael Burt, Fred Klappenberger, Stephen Miller, Joe Murdock, John Sands, Nelbert St. Clair, Prem Uppuluri, Deanne Wesley, and Debbie Wolf received certificates of appreciation for their dedication to the CAE-CD Application Assistance Program.

Learn more here.

CyberCorps: Scholarship for Service (SFS)

On January 1, 2020, the National Science Foundation (NSF) awarded five new universities with CyberCorps®: Scholarship for Service (SFS) grants with an expected total of $14.5 million over the next five years. The schools will use the money to provide scholarships, including full tuition and a stipend up to $34,000 per academic year, to students in Cybersecurity and, following graduation, scholarship recipients will be required to work for a federal, state, local, or tribal Government organization for the same duration as their scholarship support.

The following universities in Alabama, Florida, Louisiana, North Carolina and South Carolina received the awards:

• University of Alabama Tuscaloosa, $3.1 million over five years, under the direction of Dr. Jeffrey Carver. This project seeks to address the growing national need for highly-trained, well-rounded cybersecurity professionals by recruiting a diverse set of scholars from three academic programs at the University of Alabama: Computer Science, Criminology and Criminal Justice, and Management Information Systems. Read more.
• University of West Florida, $2.4 million over five years, under the direction of Dr. Eman El-Sheikh. This project will establish a cybersecurity community of practice to grow and sustain a superior cybersecurity workforce through scholarships, professional and leadership development, high-impact learning practices, competency-based cybersecurity skills development and community partnerships. Read more.
• Louisiana State University, $3.4 million over five years, under the direction of Dr. Golden Richard. LSU has a strong cybersecurity program that offers students the opportunity to study a variety of topics in applied cybersecurity and to conduct research using state-of-the-art facilities. Read more.
• North Carolina State University, $2.8 million over five years, under the direction of Dr. Douglas Reeves. Specific attention will be given to the recruitment of females, veterans, minorities, and first-generation college students. A recruiting pipeline will be developed and include community colleges and K-12 outreach. Read more.
• Citadel Military College of South Carolina, $2.8 million over five years, under the direction of Dr. Shankar Banik. This is the first CyberCorps project in the state of South Carolina and is therefore uniquely positioned to serve the Lowcountry area including the nearby Naval Information Warfare Center (NIWC) Atlantic. Read more.

The schools will be officially recognized during the annual CyberCorps® SFS Job Fair to be held in the Washington, D.C. area on January 13-15, 2020.

Learn more at www.sfs.opm.gov. 

---

Funded Project Updates

NICE Challenge Project

The NICE Challenge Project develops real-world cybersecurity challenges within virtualized business environments and provides students workforce experience. The goal is to provide the most realistic experiences to students, at-scale year-round, while generating useful assessment data on their knowledge, skills, and abilities for educators.

During the Fall quarter, the project released two major platform features, a steady count of new cybersecurity challenges, and experienced ongoing growth with its user base.

The first platform feature the project released is called, "Overseers". The Overseers feature focuses on providing the platform’s Curators (educators) more flexibility when it comes to using the NICE Challenges in their classes, clubs, and competition teams. This feature allows a Curator to temporarily grant a Player (student) Overseer privileges, which allows that Player to create reservations, add new players, and review challenges in their Curator's stead. This feature was designed to give Educators the ability to empower their Teaching Assistants, Club Presidents, and Team Captains while also making sure the Curator is always in control and retains access to all the challenge data.

Currently, the second platform feature has been released in beta. This feature focuses on providing a way for Players to take their challenge successes with them both physically and digitally. This feature allows them to export their challenge reports from the NICE Challenge platform in the form of an easily authenticatable PDF. At present, the project expects this feature to leave beta in Q2 of 2020.

The project also released a handful of new challenges. These new challenges are mapped against KSA-Ts and work roles from within the Protect & Defend and Operate & Maintain categories of the NICE Framework.

The NICE Challenge Project’s steadily growing user base reached 700 instructor signups and serves over 425 educational institutions throughout the United States. The most growth is seen in the K12 sector and the expectation is that this trend continues for the next few quarters.
The project’s development and content decisions are driven not only by our strategic vision, but by the extremely valuable feedback received from users whom we feel privileged to work with on this journey forward in creating the next generation in hands-on cybersecurity content. Professors or staff members at educational institutions within the United States may sign up and learn more at www.nice-challenge.com. 

---

NICE Working Group Updates

The NICE Working Group (NICEWG) has been established to provide a mechanism in which public and private sector participants can develop concepts, design strategies, and pursue actions that advance cybersecurity education, training, and workforce development. As we kick off a new year of working group discussions and projects, we would like to thank all of the NICEWG members for their time and dedication to enhance and develop the cybersecurity workforce.

We would especially like to acknowledge the service of the following outgoing Working Group co-chairs:

• Jason Hite, Industry Co-Chair of the NICE Working Group
• Jennifer Carlson, Apprenticeship Subgroup Co-Chair
• Stephen Miller, Collegiate Subgroup Co-Chair
• Grant Gibson, Training and Certifications Subgroup Co-Chair
• Maurice Uenuma, Workforce Management Subgroup Co-Chair

In addition, we welcome the Working Group's new co-chairs, and look forward to their contributions:

• Jon Brickey, Industry Co-Chair of the NICE Working Group, Mastercard
• Cecelia Schartiger, Apprenticeship Co-Chair, IBM
• Denise Ferebee, Ph.D., Collegiate Subgroup Co-Chair, LeMoyne-Owen College
• Laurin Buchanan, K12 Subgroup Co-Chair, Secure Decisions
• Terrance R. Campbell, K12 Subgroup Co-Chair, Shelby County Schools
• Karen Jensen, Workforce Management Co-Chair, Saaby Consulting

Learn more about the NICE Working Group and sign up to participate at nist.gov/nice/nicewg.

---

Key Dates

NICE Webinars

On January 29, 2020, NICE will hold a webinar on “Learning Cybersecurity Principles for the Practice of Information Security”. This webinar will begin a dialogue about reaching consensus for a common set of cybersecurity principles to be communicated, acquired, and practiced by learners of all ages. Learn more and register today here.

On December 18, 2019, NICE held a webinar on “Shopping Safely Online and the Work of Cybersecurity Awareness and Behavior Change”. This webinar provided timely tips for staying safe online during the holiday season and made the case for inclusion in the NICE Cybersecurity Workforce Framework of a new work role for individuals responsible for creating secure behaviors throughout the organization. Learn more and view a recording here.

On December 3, 2019, NICE held a webinar on “How You Can Influence an Update to the NICE Framework”. This webinar provided an overview of the plans to update the NICE Framework as well as details on how to submit comments to NIST on the planned updates. Learn more and view a recording here.

On November 13, 2019, NICE held a webinar on “Cybersecurity Career Opportunities with the Federal Government.” This webinar identified some of the resources available to help job seekers, secondary school counselors, and collegiate career navigators to discover career opportunities with the federal government. Learn more and view a recording here.

NICE webinars are free to attend, but registration is required.

Learn more, view webinar recordings, and more here. 

NICE Cybersecurity Workforce Framework

Deadline to Submit Comments on Updates to NICE Framework, January 13, 2020.

On November 19, 2019, NIST announced plans to update the NICE Cybersecurity Workforce Framework. The public is invited to provide input by January 13, 2020, for consideration in the update.

Learn more at www.nist.gov/nice/framework.

FISSEA Conference, June 15-16, 2020
Gaithersburg, Maryland

Save the date! The FISSEA Conference will take place on June 15-16, 2020 in Gaithersburg, Maryland.

Learn more at www.nist.gov/fissea.

NICE Conference and Expo, November 16-18, 2020
Atlanta, Georgia

Save the date! The 11th annual NICE Conference and Expo will take place on November 16-18, 2020 in Atlanta, Georgia.

Learn more at www.niceconference.org.

This event is supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology in the U.S. Department of Commerce, under a Cooperative Agreement (Award# 70NANB18H025).

NICE K12 Cybersecurity Education Conference, December 2020 
St. Louis, Missouri

Save the date! The 6th annual NICE K12 Cybersecurity Education Conference will take place in December 2020 in St. Louis, Missouri.

Learn more at www.k12cybersecurityconference.org.

This event is supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology in the U.S. Department of Commerce, under financial assistance award #60NANB16D302.