Q: What is the Workforce Framework for Cybersecurity (NICE Framework)?
A: The NICE Framework, NIST Special Publication (SP) 800-181 revision 1, is a national-focused resource that categorizes and describes cybersecurity work. Visit the NICE Framework website to learn more about it and discover some tools and resources for implementing and using it.
Q: When was the NICE Framework last updated?
A: The NICE Framework was published as NIST Special Publication 800-181 revision 1 in November of 2020. However, the document is intended to be a “living document” and will reviewed and updated periodically. NICE Framework Supplemental Material will also be updated periodically.
Q: Is there a machine-readable version of the NICE Framework?
A: No, the NICE Framework as presented by NIST is presently published as a pdf document and an associated reference spreadsheet. A handful of organizations have independently built databases of the NICE Framework as well which are noted as resources for the NICE Framework.
Q: Are there versions of the NICE Framework for unique industries: healthcare, financial services, critical infrastructure like utilities?
A: No, the intention is that the NICE Framework be used as a dictionary to describe cybersecurity work and only portions of it may be used depending on size and scope of an organization. It is meant to be broad enough to apply to multiple sectors and is void of reference to specific tools and products.
Q: I don’t see my specific work role in the NICE Framework. How can I find it or request it to be added?
A: In exploring the NICE Framework, you may not find that one work role that describes the cybersecurity work you perform. Your work may be defined by KSAs and Tasks from several work roles. If you would like to request a modification to the NICE Framework, follow the guidance in the change request process. Recent work to reintroduce competencies to the NICE Framework include the development of a pivot table tool that enables you to see KSAs related to competencies. If you were to identify competencies that you demonstrate in your work, you could then pull KSAs from the pivot table tool to describe your cybersecurity role.
Q: Does the NICE Framework include measurements for proficiencies? Competencies?
A: While the NICE Framework does not include measurement of proficiencies or competencies, there are supplemental resources that do. Draft NISTIR 8193, NICE Framework Work Role Capability Indicators: Indicators for Performing Work Roles, documents the opinions of Federal subject matter experts regarding education, certification, training, experiential learning, and continuous learning that could signal an increased ability to perform a given NICE Framework work role. Additionally, an updated draft to NIST SP 800-16, will enable one to define an organizationally specific cybersecurity role that can be used to develop or identify training that will prepare one to perform the work required by one’s organization. It reintroduces competencies and maps each KSA to one of those competencies.
Q: Will the NICE Framework be updated and how can I provide input?
A: The NICE Framework is a living document that will be updated via revision updates periodically based on input from a Request for Comments issued in November 2019. NICE will consider recommendations (change requests) for expansion, update/correction, withdrawal, or integration of NICE Framework components from the RFC and also use the process described on the NICE Framework Revisions web page for input.
Q: What is the difference between the NICE Framework and the Cybersecurity Framework?
A: The Cybersecurity Framework or Framework for Improving Critical Infrastructure Cybersecurity (currently version 1.1) is a voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risk [the how and what of cybersecurity]. The NICE Framework (see question above) is a reference resource that describes and categorizes roles and functions [the who of cybersecurity]. Read more about connections between these two frameworks in an article featured in the NICE enewsletter or Appendix D of NIST SP 800-181.