Welcome, my name is Emiliana Merida, and I was an intern at the NICE Program Office this past year. I am currently a Senior at Cal State San Bernardino (CSUSB), a National Center of Academic Excellence (CAE) in Cybersecurity institution, where I am the Outreach Officer of the CSUSB student chapter of Women in Cyber Security (WiCyS) club. In this role, I received the scholarship to be part of the WICYS 2022 conference where I made connections resulting in a job offer from a company to start in the summer of 2022.
During my internship at NICE, I gathered data to create visualizations of audience attendance and engagement during NICE webinars. Research was conducted concerning cybersecurity pathways and defining employability skills and how they might fit within the NICE framework.
This quarter’s newsletter features topics on student perspectives within cybersecurity careers, how communities practice IT and cybersecurity, and so much more. Cybersecurity has become a trending topic within schools, workplace, and communities where curiosity is sparking. Hopefully, everyone can enjoy these informative articles.
By Yair Levy, Professor of Information Systems & Cybersecurity, and Director of Center for Information Protection, Education, and Research (CIPhER), Nova Southeastern University and Anne Kohnke, Associate Professor of Cybersecurity & Information Systems, and Director of the Center for Cyber, Security & Intelligence Studies, University of Detroit Mercy
Learning is fundamentally a social process and many groups have newcomers, old-timers, artifacts, knowledge, and practices. Creating a space, whether physical or virtual, in which participants can collaborate may evolve naturally or be created deliberately with the intention of advancing collective knowledge. Peer-to-peer learning is not new and has proven to facilitate trust development, cohesion, and deeper understanding among individuals who share experiences to improve practices. A Community of Practice (CoP), an example of peer-to-peer learning, was first proposed in 1991 and defined as “a group of individuals who share a concern or a passion for something they do and learn how to do it better as they interact regularly” (Lave & Wenger, 1991, p. 29). As the discipline of cybersecurity continues to evolve with new information revealed through research projects as well as through experts in the field uncovering new exploits and developing solutions, it is critical for spaces to be created to share this knowledge within communities.
The National Centers of Academic Excellence in Cybersecurity (NCAE-C), led by the National Security Agency (NSA) and its federal partners established three Communities of Practice (CoPs) and are a prime example of such peer-to-peer learning. They are not only important for many disciplines but are especially critical for the success of the national cybersecurity education landscape. By inviting individuals into these physical and virtual spaces to learn from each other, participants are provided opportunities to collaborate on research projects, share and further develop course curricula to strengthen the competencies of graduates, and to build relationships for personal and professional development. The body of knowledge that defines the discipline of cybersecurity encompasses a significant number of topics and competencies, therefore, no one entity has all the tools and resources for the advancement of the field. With this in mind, the insightful leadership of the CAE Community in Cybersecurity formed a CoP for each of the three NCAE-C designations: Cyber Defense (CAE-CD), Cyber Operations (CAE-CO), and Cyber Research (CAE-R). In one short year, the active participation of members willing to share ideas, strategies, and best practices has proven to be very beneficial.
The initiatives undertaken in the respective CoPs have emerged spontaneously by an expressed need, a common passion, or a concern. At the onset, a Steering Committee was created for the largest community, the CoP CAE-CD designation, and regular meetings were established to create an open dialogue. During these meetings, several initiatives were identified and then established by key individuals who are passionate about a common theme or purpose and willing to serve as leaders. These focused subgroups then organized and formed their own events and activities to share experiences and knowledge to further improve what they do. Two Co-Chairs for each of the CAE CoPs ensure that each focused initiative continues to benefit the communities and stays on track by providing project oversight. During the past year, the participation and feedback has been overwhelmingly positive. A healthy outcome of these focused CoP initiatives has been the development of trust and appreciation among the community members.
The Community of Practice in Cyber Defense (CoP-CD), co-chaired by Dr. Yair Levy (Nova Southeastern University, Florida) and Dr. Anne Kohnke (University of Detroit Mercy, Michigan), is the largest of the three. A sizable Steering Committee was established that meets quarterly to identify and discuss shared needs. Several initiatives were identified, including a monthly event for CAE-CD schools to share who they are, their programs, research, and opportunities for collaboration on research and curriculum needs. Another initiative is a Regional Outreach Competition that involves all five NCAE-C Regional Hubs to recognize the outstanding community outreach that NCAE-Cs around the nation are conducting yearly. We also plan to negotiate group pricing on behalf of NCAE-C schools in order to gain access to cyber ranges, labs, and certificate prep platforms that they would not otherwise be able to afford. Additionally, we’re in the process of creating a New Point-of-Contact (POC) Onboarding Process Workshop for all NCAE-C schools who may have a new POC. Some schools have turnover in their POCs with the result of all institutional knowledge lost when that person moves on, causing numerous issues for the NCAE-C Program Management Office (PMO). Additionally, a new initiative is focused on Student Competitions and Capture The Flags (CTFs) events to collect, categorize, and promote to the CAE Community.
The Community of Practice in Cyber Operations (CoP-CO) is co-chaired by Dr. Drew Hamilton (Texas A&M University, Texas) and Dr. Seth Hamman (Cedarville University, Ohio). The CoP-CO seeks to advance the deeply technical academic discipline of cyber operations through collaboration and service to the community. Current efforts include updating the Knowledge Units (KUs) criterion for the designation and developing application assistance resources for new and redesignating schools.
The Community of Practice in Cyber Research (CoP-R) is co-chaired by Dr. Agnes Chan (Northeastern University, Massachusetts) and Dr. Susanne Wetzel (Stevens Institute of Technology, New Jersey). The CoP-R aims at facilitating research collaborations among researchers in government agencies and academia. Current efforts are focusing on further developing the Information Security Research and Education (INSuRE) program to teach students research methodologies and to update the criteria for the CAE-R designation.
Together, these three Communities of Practice are helping institutions of higher education to demonstrate and embrace the NICE values of Foster Communication, Facilitate Collaboration, and Share and Leverage Resources as we work together as a community to prepare and grow the next generation of the cybersecurity workforce.
Lave, J., & Wenger, E. (1991). Situated learning: Legitimate peripheral participation. Cambridge University Press.
A profile of a cybersecurity practitioner to illustrate application of the NICE Framework.
NICE Framework Categories: Protect & Defend; Analyze; Collect & Operate
NICE Framework Work Roles: Cyber Operator; Cyber Ops Planner; Exploitation Analyst; Security Control Assessor; System Testing and Evaluation Specialist; Vulnerability Assessment Analyst
Academic Degrees: A.A., French Language, Grossmont College; B.A., Russian and Soviet Studies, University of California, San Diego; M.S., Cyber Security and Information Assurance, Western Governors University
This issue’s interview is with Maril Vernon, Offensive Security Engineer at Zoom. Ms. Vernon discusses the variety of cybersecurity roles that exist, shares the importance and value of engaging with the cybersecurity community, and shares the joy she feels working in this field, among other topics. Below is a summary of his conversation with Karen A. Wetzel, Manager of the NICE Framework:
Karen: Let’s just jump into it. Can you explain more about what an offensive security engineer is?
Maril: Absolutely. Typically someone who works in offensive security might be known as a penetration tester, or pen tester for short. However, within offensive security, you can do a number of things. You could be a pen tester, a red team operator, a purple team operator, an exploit developer, a tool developer for exploits, or be doing reverse malware engineering.
Of all the flavors that are available, I specifically am a red team operator, which is nuancedly different from a pen tester. Typically, you have a very specific objective and everything the red team does is to meet that objective. We want to get in, be stealthy, stay low under the radar, accomplish our objective, and get out without you even knowing we were there. That’s the kind of team I work on.
Karen: It sounds like it could be a lot of fun. As a red team lead, what other kinds of people are on your team? What other kinds of roles do you work with?
Maril: It often depends on the size. You can be a one-woman red team, as I was at one of my previous organizations, where your work runs the gamut — it could be vulnerability testing firewalls and products to pen testing your website and helping the developers do DevSecOps. A larger red team will typically have someone doing exploit development, someone in charge of infrastructure, and someone who’s really good at pivot and lateral movement. You’ll also possibly have a social engineer or someone who’s good at the client side of your kill chain. That’s what usually I specialize in. I am gregarious and outgoing, so I’ll hop on and pretend to be someone else or I’ll write all the phishes and stuff.
By Felicia Rateliff, iKeepSafe
The increasing expansion of technology and the lack of qualified people to meet its demands has led to a great need for more cybersecurity workers. Many believe that increasing the cybersecurity workforce needs to begin with K-12 students. But how? To learn more, we went directly to the source. We asked middle and high school students and recent graduates for their perspectives on what they knew about cybersecurity careers.
All the students emphasized the importance of sharing the wide range of career options to students starting early. Diego Garcia-Rivera, an eighth grader from Las Vegas, NV, highlighted consensus of the group by stating, “you need to include the application of cybersecurity.” The students from the 2021 NICE K12 Cybersecurity Education Conference student panel and Cyber Signing Day awardees have more advice to share.
By Tish Rourke, Vice President of Cyber and Intelligence, Lockheed Martin’s Rotary and Mission Systems
As our nation and the world continue to face persistent and increasingly sophisticated, malicious cyber-attacks and campaigns, capabilities like Lockheed Martin’s full-spectrum cyber programs and cyber-resiliency become more important each day. Lockheed Martin, part of the Defense Industrial Base, is a global security and aerospace company that supports the “fifth domain” or cyberspace – the latest theater of warfare – alongside sea, land, air, and space.
At Lockheed Martin, every program, every platform, and every sensor and system we support has a cyber component and therefore needs not only the most cutting-edge cyber technology but also top-tier cyber professionals. Employees who take on the challenge of the CAP program not only create limitless career opportunities in the fifth domain, but they also cement themselves into the future of our national defense.
by Ralph Ley, Department Manager, Workforce Development and Training, Idaho National Laboratory
A recent report by Purdue University found there is only one degree program in the United States dedicated to producing industrial cybersecurity professionals -- those would be the individuals tasked to securely design, build, operate, and maintain the critical cyber-physical infrastructures that provide reliable electricity, clean drinking water, and affordable manufactured goods ranging from toilet paper to Tesla.
Eleven years after Stuxnet, a computer worm, it appears that almost no one has had the vision to push beyond a single university or college course dedicated to the topic. If cybersecurity is among the top national security concerns faced by the nation, industrial cybersecurity must be the single most critical overlooked educational topic.
Various organizations within the U.S. government own and operate programs designed to enhance the cybersecurity education, training, and workforce development needs of the nation. The following are a few of those programs with updates on their activities:
NIST has released three draft items related to the Workforce Framework for Cybersecurity (NICE Framework). The public is invited to provide comments on a draft NICE Framework update process, refactored Ability statements, and a 2nd draft of the NISTIR on Competencies.
Comments on the proposed NICE Framework Data Update Process, the refactored Ability statements, and second draft of NISTIR 8355 are due by January 31, 2022 at 11:59 p.m. ET. Learn more here.
Happy New Year! #ICYMI the National Initiative for Cybersecurity Careers and Studies website, commonly referred to as NICCS, has an improved layout with modernized interactive tools, new cybersecurity career resources, and updated training and education courses.
Looking for a new career in the new year? Check out the Cybersecurity Careers by State map for open cybersecurity positions in your area and across the country. Or maybe you’re looking to advance your cybersecurity career to the next level? The new Career Pathway Roadmap tool allows users to select up to five work roles to compare the tasks, knowledge, and skills needed for each to help you learn how to progress forward.
Interested in attending cybersecurity events in 2022? Find NICCS at the ESRI Federal GIS Conference on February 8th and 9th at the Walter E. Washington Convention Center in Washington, D.C. – the largest event for the federal government!
As a reminder, keep checking back to niccs.cisa.gov as NICCS is always adding new content, features, resources, events, and more!
To learn more about NICCS or their resources, email NICCS [at] hq.dhs.gov.
CAE-NCX Competition Coming this Spring
Teams of competitors are gearing up for the pilot of the CAE-NSA Cyber Exercise (CAE-NCX), slated to take place April 11-13, 2022. The exercise is a competition designed to develop and test cybersecurity skills, teamwork, planning, communication, and decision-making. Thirty-three teams representing all five CAE-C Regions across the CAE-Community plan to participate. Registration is already closed for teams who wish to compete in this spring’s CAE-NCX, but the 33 teams across the CAE-C Community who are slated to participate will help to blaze the trail for what is hoped to become a highly competitive annual event. NCX Tech Talks are open to the entire CAE-C Community at large, and registration information is at https://www.caecommunity.org/events/events.
CAE-CO Designation Tool Set to Commence this Winter
The first cycle of CAE-CO re-designations using the new tool will open in mid-January. The new tool has been in operation for a few cycles for CAE-CD designations, but the pilot for CAE-CO designations launched in October. Two universities participated in the pilot. Their application packages are currently under pre-submission review and will go to the final review panel in the coming weeks.
CAE-R Institutions Next to be Included in the Submission Tool
The new tool is being configured for CAE-R applications, using existing criteria. A pilot group has already been identified to work with mentors to submit material in the tool in the early spring. At the same time, small working groups are working to identify improvements to the CAE-R process and criteria. Items identified in the working groups should take effect in the fall of 2022.
The CAE Annual Report Submission Deadline Extended
The NCAE-C program office extended the due date for the annual report submissions to February 15, 2022. Submitting the report is required for all CAE institutions, with some exceptions for this year. CAE-CD institutions that were part of submission cycles 0-7, working in the tool and are new, are excused from the requirement this year. The remaining CAE-CD institutions, along with all those holding CAE-R or CAE-CO designations should complete the report. There are two parts to the report for CAE-CD and CAE-CO institutions – the POS and CAE portions – while CAE-R schools only have one part. Please contact the program office with any questions at caepmo [at] nsa.gov.
Mark Your Calendars for the CAE Symposium!
The CAE Symposium is scheduled for June 9-10, 2022 in Atlanta, GA, immediately following the NICE Conference. Stay tuned for more information in the coming months.
For more information, including links to resources, please visit the CAE Community website or email the team at ring [at] caecommunity.org.
Witnessing an Evolution- The NICE Framework and its Role in Building a Better Cybersecurity Workforce
December 15, 2021
During this webinar speakers discussed how you might use the NICE Framework to meet your own needs while engaging with a community of users in order to meet a common goal -- a diverse, prepared, and effective cybersecurity workforce. Learn more and view the recording here.
Digital Citizenship- Safety and Security for an Online World
October 20, 2021
This webinar explored digital citizenship as a competency that all citizens and workers need to ensure they are behaving responsibly, ethically, and legally and the importance of evaluating online information and resources for reliability and validity. Learn more and view the recording here.
Learn more: NICE Webinar Series
CyberSeek™ expands resources on Careers, Credentials and Training as the Need for Cybersecurity Professionals Grows Across the U.S. The enhancements to CyberSeek include updates to the supply and demand data as well as the addition of a Cybersecurity Education and Training Providers Locator with information on more than 1,000 academic institutions and training providers that are helping learners acquire knowledge and skills in cybersecurity. The interactive Cybersecurity Career Pathway has also been expanded and updated to reflect the current state of the employment market. Learn more about these updates in the official press release.
The NICE Community Coordinating Council (NICE Community) has been established to provide a mechanism in which public and private sector participants can develop concepts, design strategies, and pursue actions that advance cybersecurity education, training, and workforce development.
In early December 2021, NICE Community Council announced the National K12 Cybersecurity Education Roadmap. The Roadmap provides strategies for increasing the quantity, quality, and diversity of students pursuing cybersecurity careers. The Roadmap outlines five major elements:
New year, new resource! The NICE Community Coordinating Council’s Apprenticeships in Cybersecurity Community of Interest has released a map of cybersecurity apprenticeships in the United States. Programs listed in the NICE Cybersecurity Apprenticeship Program Finder may be registered with the U.S. Department of Labor’s Office of Apprenticeship, State-level registrations, or may not yet be registered.
Learn more: NICE Community Coordinating Council Website
In this webinar speakers will discuss Executive Order 14035 which is aimed at advancing Diversity Equity, Inclusion and Accessibility within the Federal workforce, data to illustrate where efforts are still needed within the Cybersecurity community, applicability of promoting professional development and advancement, and FBI successful agency practices to attract a broader workforce to perform Cybersecurity work.
Learn more and register here.
This webinar will explore effective practices for mentoring, highlight features of model programs, and showcase the Cybersecurity Mentoring Hub as a community of mentors and mentees in cybersecurity.
NICE webinars are free to attend, but registration is required.
Learn more and register here.
FISSEA Winter Forum Theme: Looking Forward: Cybersecurity Training to Meet the New Challenges
The FISSEA Forums are quarterly meetings to provide opportunities for policy and programmatic updates, the exchange of best practices, and discussion and engagement among members of the Federal Information Security Educators (FISSEA) community.
Learn more and register here.
This webinar will discuss what computational literacy is, how we can conceive of its emergence, and how we can nurture its advancement.
NICE webinars are free to attend, but registration is required.
Learn more and register here.
This year’s theme, “Demystifying Cybersecurity: Integrated Approaches to Developing Career Pathways,” inspires presentations that take a holistic view of cybersecurity risks that considers the dimensions of people, process, and technology and includes a comprehensive approach to the development of career pathway systems that address the lifecycle of a learner from early education through a life-long career in cybersecurity.
The NICE Conference 2021-22 planning committee will continue to accept proposals for Track 4: Emerging Topics in Cybersecurity through the extended deadline of March 6, 2022. This track highlights how recent events, new risks, or other contemporary developments affect the cybersecurity education, training, and workforce development landscape. Proposals should highlight challenges presented, lessons learned, and solutions that mitigate today’s cybersecurity risks. Learn more and submit a proposal here.
This event is supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology in the U.S. Department of Commerce, under financial assistance award #70NANB18H025.
Learn more about the NICE Conference and Expo here.
Mark your calendars to celebrate Cybersecurity Career Awareness Week across the country. Join us in promoting awareness & exploration of cybersecurity careers by hosting an event, participating in an event near you, or engaging students with cybersecurity content!
Thank you to the 2021 participants in your hard work and dedication during the week-long campaign and making it a success. This cybersecurity career celebration would not have been possible without your engagement and collaboration.
Here's a Recap of Activities that Happened during the week of Cybersecurity Career Awareness Week:
ENGAGEMENTS BY NUMBERS
Thanks to all of the attendees, speakers, sponsors, exhibitors, and staff for making the 2021 NICE K12 Conference an incredible event. Conference content is available to registered attendees. You may view the recordings by log-in through the Whova App.
Additionally, during the 2021 NICE K12 Conference iKeepSafe hosted the National Cyber Signing Day. The annual National Cyber Signing Day celebrates high school students and recent graduates as they make their commitments to some of the state and country’s top schools and companies in their pursuit of a cutting-edge career in cybersecurity. View the 2021 National Cyber Signing Day Presentations here.
Save the date! The 8th annual NICE K12 Cybersecurity Education Conference will take place on December 5-6, 2022, in St. Louis, Missouri.
More details will be announced soon.
This event is supported by the National Initiative for Cybersecurity Education (NICE), a program of the National Institute of Standards and Technology in the U.S. Department of Commerce, under financial assistance award #70NANB20H144.
Learn more about the NICE K12 Cybersecurity Conference here.