Welcome to the summer 2021 issue of the NICE eNewsletter. I am thrilled to be introducing this issue -- and myself -- to you all. My name is Karen Wetzel, and I joined the NICE team in the fall of 2020 as Manager of the NICE Framework. I’ve already had the opportunity to meet with many of you and look forward to continuing our conversations, hearing your suggestions, and learning about your successes with the NICE Framework.
In this edition, our featured article focuses on a hot topic: the intersection of artificial intelligence (AI) and cybersecurity. As AI has shifted from an emerging area of computing to one that is ubiquitous in our lives, having cybersecurity expertise to anticipate and address potential risks in this area is essential. As we learn in this issue, a key to ensuring that expertise is integrating cybersecurity content into AI education.
Next, the Framework in Focus is a great read as we hear from Santi Kiran, Security Control Assessor at NIST. Ms. Kiran discusses her current role, the path that led her to this position, the broad variety of cybersecurity-related positions, and more.
Finally, we have three great spotlights in this issue. Our Academic Spotlight focuses on an exciting effort from the Networking and Information Technology Research and Development (NITRD) program to help students find STEM internships, scholarships, and other training opportunities at federal agencies. In the Government Spotlight, you’ll learn about the National Governors Association (NGA) launch of the 2021 Policy Academy to Advance Whole-of-State Cybersecurity. The Industry Spotlight highlights Cloud Range’s efforts to improve hiring by offering simulation-based assessments that allow candidates to demonstrate capabilities tied to the NICE Framework.
I know you will enjoy reading through this issue, and I look forward to continued conversations based on the insights shared here.
Karen A. Wetzel
Manager, NICE Framework
By Casey Fiesler, Assistant Professor of Information Science; Robin Burke, Professor and Department Chair of Information Science; and Eric Wustrow, Assistant Professor of Computer Engineering, University of Colorado Boulder
As artificial intelligence (AI) becomes an increasingly critical component of not only the computing environment but also society as a whole, it is essential to identify the vulnerabilities of AI systems and to safeguard them from unintended and malicious uses. For instance, deep learning visual classifiers used in self-driving cars can be fooled into misclassifying objects – such as a stop sign for a speed limit sign – allowing potential attackers to cause accidents and injuries.
The relevance of cybersecurity expertise (in adversarial thinking and risk assessment/management, for example) to AI has never been more clear, but this essential connection is largely lacking within computing education. AI and cybersecurity are considered distinct areas of advanced student learning and associated courses are typically upper-division electives. Students who specialize in AI likely learn little about cybersecurity, and vice versa. However, new efforts at University of Colorado Boulder aim to change that.
A parallel can be seen in the increasing attention paid to the role that ethics plays in computing education, with calls to action to integrate this topic across curriculum. Here also, educators have recognized the importance of safety and mitigating unintended negative consequences of technology with ethics-oriented modules or concepts embedded into technical classes in addition to standalone classes.
The “course-embedded” strategy pioneered in ethics education has benefits that also apply to security, which, like ethics, is an important property that can be applied to many computing specializations. Among these benefits, this strategy: (1) ensures that all AI-trained students have some exposure to security concepts without requiring additional security coursework; (2) allows for in-situ instruction so that that the concepts are directly contextualized in AI methodologies and problems; and (3) emphasizes to students that good security and risk assessment practices should be an integral part of developing and using AI systems.
The goal with this approach is not necessarily to produce students who are deep experts in both AI and cybersecurity, though this may be an outcome for some students. Instead, the goal is to ensure that AI specialists know enough about cybersecurity to: (1) identify potential vulnerabilities in and threats to algorithms and data within the larger systems AI is embedded in; (2) recognize when to engage experts; and (3) pose the right kinds of questions to domain experts.
Funded by an education grant from the NSF Secure and Trustworthy Cyberspace (SaTC) program, researchers at University of Colorado Boulder will implement new cybersecurity curricula directly into AI-related classes across Information Science and Computer Science. Integrated concepts will include strategies for identifying, analyzing, and mitigating threats and vulnerabilities as part of AI development and implementation processes as highlighted in the protection and defense category of the NICE Workforce Framework for Cybersecurity.
Evaluation of this curricular strategy will focus on learning outcomes and attitude changes (e.g., perception of the importance of cybersecurity to AI and interest in pursuing further study of both) as well as analysis of how students work through activities such as threat modeling, input analysis, and adversarial design as related to AI. Through exposing students in other classes to cybersecurity concepts and broadly disseminating this curriculum for use to other educators, the primary objective of this project is to impact education and therefore the future of the workforce. However, the hope is that this work will also provide insights that could lead to better cybersecurity integration into AI design and implementation, therefore contributing overall to the creation of more secure and trustworthy AI systems.
A profile of a cybersecurity practitioner to illustrate application of the NICE Framework.
Organization: National Institute for Standards and Technology, U.S. Department of Commerce
NICE Framework Category: Securely Provision
NICE Framework Work Roles: Security Control Assessor
Academic Degrees: B.A., Criminology and Criminal Justice; M.S., Cybersecurity Policy; MBA
Certifications: CompTIA Security+, Certified Information Systems Security Professional (CISSP)
This issue’s interview is with Santi Kiran, Security Control Assessor at the National Institute for Standards and Technology (NIST). Ms. Kiran discusses her career path and how it led her to her current position, the wide variety of cybersecurity-related positions that exist, and the importance of certifications to her career and continuous learning, among other topics.
By Dr. Diana Weber, Communications and Public Affairs Coordinator, National Coordination Office (NCO), Networking and Information Technology Research and Development (NITRD)
As students start their journey in science, technology, engineering, and mathematics (STEM) fields, it can be challenging for them to find internships to gain experience. Usually students start with a Google search, which can be laborious, frequently unproductive, and even disheartening. That does not help bring more people into STEM fields. But a newly released STEM portal from NITRD helps students, educators, postdoctoral fellows, and early career researchers search for internships, scholarships, and other training opportunities at federal agencies.
By Debbie Gordon, CEO, Cloud Range
The ever-changing cybersecurity threat landscape requires cybersecurity operators to have up-to-date knowledge and skills. Cybersecurity defenders need to know what they should do during an attack, and it is even more important that they have the ability to do it. Unfortunately, actual job experience and industry standard certifications do not necessarily indicate whether a candidate is able to perform in a new work environment with different threat vectors. Using its cyber range, Cloud Range established simulation-based assessment exercises that mimic actual work roles as defined by the NICE Framework. These immersive assessments allow candidates to perform as they would on the job.
By John Guerriero, Cybersecurity Policy Analyst, National Governors Association
The National Governors Association's Center for Best Practices recently selected five states - Indiana, Kansas, Missouri, Montana, and Washington - to participate in the 2021 Policy Academy to Advance Whole-of-State Cybersecurity. The center will work with the states to develop and implement strategic action plans to improve their cybersecurity postures. Each state will build a multi-disciplinary team of local and state stakeholders and convene an in-state workshop to create an action plan for its specific focus area. NGA staff will work closely with the states in developing, refining, and implementing the plans and offer regular coaching calls and more.
Various organizations within the U.S. government own and operate programs designed to enhance the cybersecurity education, training, and workforce development needs of the nation. The following are a few of those programs with updates on their activities:
NICE Framework Competencies
The NICE Program Office is currently adjudicating comments received on draft NIST Interagency or Internal Report (NISTIR) 8355, NICE Framework Competencies: Assessing Learners for Cybersecurity Work, and the accompanying draft List of Competencies. The NICE Program Office, in partnership with the CAE Community, offered a virtual workshop this past quarter on “NICE Framework Competencies: Moving from Concept to Implementation.” The workshop convened academic, industry, and government stakeholders to identify use cases and implementation paths for NICE Framework Competencies. The presentation slides and a summary report from this event are available online.
Learn more: NICE Framework Resource Center
The National Initiative for Cybersecurity Careers and Studies (NICCS), managed and maintained by the Cybersecurity and Infrastructure Security Agency (CISA), continues to strive to be a national hub for cybersecurity education, training, and careers. The NICCS Education and Training Catalog has over 6,100 courses and counting! All courses listed on the training catalog are mapped to the Workforce Framework for Cybersecurity (NICE Framework) to aid users in locating a course that will benefit their career development.
Further enhancements have been made to the Cyber Career Pathways Tool. Changes include:
• Off ramps to work roles in Cross Functional communities
• Subtab buttons that stay on screen for long scrolling content
• New label for Top 5 Related Roles
• Specific language appears for Top 5 Related Roles when Federal Core is selected
• Green arrow in percentage tables says “selected role” or “compared role"
NICCS also features a Student Cybersecurity Resources page to encourage students to research cybersecurity industry career options and a Cybersecurity Careers page that links users to active federal cybersecurity job openings from USAJobs.com. Both pages may be used as teaching tools for the current cybersecurity job market and may help students find jobs after graduation.
To learn more about NICCS and its resources, email niccs [at] hq.dhs.gov
Community College Cyber Summit (3CS) 2021
The 8th annual Community College Cyber Summit (3CS), the only national academic conference focused on cybersecurity education at community colleges, will take place in person November 5-7, 2021, at Sinclair Community College in Dayton, Ohio. A Career Exploration event for students will be an integral part of the 3CS. Local, regional, and national students are encouraged to attend. The students will have an opportunity to interact with cybersecurity professionals in industry, faculty, and government to gain a deeper understanding of the variety of cybersecurity careers and needs.
3CS is organized and produced by the National CyberWatch Center (NCC), the National Resource Center for Systems Security and Information Assurance (CSSIA), and the National Cybersecurity Training & Education Center (NCyTE), all of which are funded by the National Science Foundation (NSF). The summit will support community college cybersecurity programs across the nation by highlighting the latest technologies, best practices, curricula, products, and more.
For more information and to register, visit https://www.my3cs.org.
AP Computer Science Principles: Cybersecurity
For more information, visit https://www.ncyte.net/ncyte-news/news/ap-csp-cyber.
Accredited Credential Programs – Building Trust Between Employers and Credential Providers Through Rigorous Assessments
May 19, 2021
In this webinar, participants learned about advantages of offering accredited credentials, key accrediting bodies, the type of credentials that are appropriate, requirements of accrediting bodies, basic elements of ISO 17024 standards for accreditation, the process for creating a fair and valid assessment required for accredited credentialing programs, and the use of search engines to analyze credentials for accreditation status. Learn more and view the recording here.
Getting Girls into STEM and Cybersecurity – Pathways to Progress
April 21, 2021
This webinar described how can we better understand the cultural nuances that prevent girls from feeling welcomed in cybersecurity and STEM careers and what can we do in our communities to ensure girls are excited about these fields and inspired to be part of a future in STEM. Learn more and view the recording here.
Learn more about the NICE Webinar Series
National K-12 Cybersecurity Learning Standards - Coming in August!
After months of collaboration with educators across the country, CYBER.ORG is publishing the first set of K-12 Cybersecurity Learning Standards. Find out more about this standards effort at https://cyber.org/standards.
Learn more: CYBER.ORG
Summer Camps 2021
GenCyber summer 2021 camps are in full swing with 160 camps in 44 states plus Washington, D.C. and Puerto Rico. They have already started their programs or will begin within the next few weeks. Depending on local COVID-19 guidance, camps are being held in virtual, in-person, or hybrid formats. For the latest camp offerings, click here. General questions can be sent to GenCyber [at] nsa.gov.
Learn more: www.gen-cyber.com
Combine Invitational Kicks Off in July
Led by Katzcy and in cooperation with NICE, the inaugural US Cyber Games are open from April to October 2021. The US Cyber Games consist of the US Cyber Open, the US Cyber Combine Invitational, and the selection of the first-ever US Cyber Team to represent the United States at the 2021 International Cyber Security Challenge (ICSC) in Athens, Greece in December. The US Cyber Open, a free competition open to anyone, was held May 28 through June 11, 2021. Top scoring athletes from the Open are now being considered to join the US Cyber Combine. The Combine Invitational will kick off on July 9 with a livestream kickoff event.
Learn more: uscybergames.com
The NICE Community Coordinating Council (NICE Community) has been established to provide a mechanism in which public and private sector participants can develop concepts, design strategies, and pursue actions that advance cybersecurity education, training, and workforce development. The NICE Community Coordinating Council is comprised of three Working Groups and four Community of Interest groups.
Learn more and join the NICE Community Coordinating Council.
This webinar will describe efforts to update NIST’s Guide to Industrial Control System and will explore the competencies or work roles that are needed to secure operational technologies. NICE webinars are free to attend, but registration is required.
Learn more and register here.
In this webinar, speakers will share their experiences with developing assessment-based approaches to identifying and hiring cybersecurity talent. You will learn about policies and strategies, the development and use of behavior-based interview questions, and a pilot that focused on identifying individuals with high cybersecurity aptitude.
Learn more and register here.
RICET (Regional Initiative for Cybersecurity Education and Training) is a collaborative effort to build and strengthen a foundation in cybersecurity education, training, and workforce for the Americas. This training event provides an opportunity for community members and thought leaders from education, government, industry, and non-profits to explore ways of developing a curriculum for the current and future cybersecurity workforce.
Learn more and register here.
Federal Information Security Educators (FISSEA) Forums are quarterly meetings that provide opportunities for policy and programmatic updates, the exchange of best practices, and discussion and engagement among members of the FISSEA community.
Learn more here.
Mark your calendars to celebrate this year's Cybersecurity Career Awareness Week across the country! Join us in promoting awareness and exploration of cybersecurity careers by hosting an event, participating in an event near you, or engaging students with cybersecurity content.
Learn more: nist.gov/nice/ccaw.
In this webinar, speakers will discuss why now is the time to experiment with cybersecurity apprenticeships, what would it take to build a such a program, what are the barriers to overcome, and how can we make progress as a community.
Learn more and register here.
Join us for this half-day virtual symposium that serves as a precursor to the annual NICE Conference in June 2022. In light of dramatic events and emerging risks, experts will discuss the role of the cybersecurity workforce and the need for a coordinated response to strengthen the security of the supply chain. The NICE Symposium is free and open to the public.
Learn more and register here.
NICE K12 Cybersecurity Conference keynote speakers have been announced! The three main keynote speakers are Jennifer Buckner, Senior Vice President of Technology Risk Management at Risk Governance and Operations Mastercard; Efren Zamara, Associate Security Analyst at Crowdstrike; and Sarah Kaleel, Senior Program Manager at Comcast. This year’s conference theme is "Broadening the Path to Cybersecurity Careers through K12 Education," and more than 100 presenters and panelists will share their expertise and insights.
Learn more: k12cybersecurityconference.org
The FISSEA Annual Conference aims to elevate the general level of information security knowledge for the federal government and federally-related workforce; serve as a professional forum for the exchange of information and improvement of information systems security awareness and training programs throughout the federal government; and provide for the professional development of community members.
Learn more here.
The next NICE Conference & Expo will take place at the Westin Peachtree Plaza in Atlanta, Georgia, in June of 2022. While we will not hold a full conference in 2021, we are holding the NICE Symposium this year on November 16. Stay tuned for more information on all of our 2021-22 programming.
Learn more: https://niceconference.org/