Q: What is the Workforce Framework for Cybersecurity (NICE Framework)?
A: The NICE Framework, NIST Special Publication (SP) 800-181 revision 1, is a national-focused resource that categorizes and describes cybersecurity work. Visit the NICE Framework website to learn more about it and discover some tools and resources for implementing and using it.
Q: When was the NICE Framework last updated?
A: The NICE Framework was published as NIST Special Publication 800-181 revision 1 in November of 2020. However, the document is intended to be a “living document” and will reviewed and updated periodically. NICE Framework Supplemental Material will also be updated periodically.
Q: Is there a machine-readable version of the NICE Framework?
A: No, the NICE Framework as presented by NIST is presently published as a pdf document and an associated reference spreadsheet. A handful of organizations have independently built databases of the NICE Framework as well which are noted as resources for the NICE Framework.
Q: Are there versions of the NICE Framework for unique industries: healthcare, financial services, critical infrastructure like utilities?
A: No, the intention is that the NICE Framework be used as a dictionary to describe cybersecurity work and only portions of it may be used depending on size and scope of an organization. It is meant to be broad enough to apply to multiple sectors and is void of reference to specific tools and products.
Q: I don’t see my specific work role in the NICE Framework. How can I find it or request it to be added?
A: In exploring the NICE Framework, you may not find that one work role that describes the cybersecurity work you perform. Your work may be defined by Knowledge, Skills, and Tasks from several work roles. If you would like to request a modification to the NICE Framework, follow the guidance in the change request process.
Q: Does the NICE Framework include measurements for Competencies? Proficiencies?
A: Competencies are re-introduced to the NICE Framework with 800-181 revision 1. A list of Competencies are being developed and will be provided as draft supplemental material in early 2021. While the NICE Framework does not include measurement of proficiencies, there are supplemental resources that do. Draft NISTIR 8193, NICE Framework Work Role Capability Indicators: Indicators for Performing Work Roles, documents the opinions of Federal subject matter experts regarding education, certification, training, experiential learning, and continuous learning that could signal an increased ability to perform a given NICE Framework work role.
Q: Will the NICE Framework be updated and how can I provide input?
A: The NICE Framework is a living document that will be updated via revision updates periodically. NICE will consider recommendations (change requests) for expansion, update/correction, withdrawal, or integration of NICE Framework components via the process described on the NICE Framework Revisions web page for input.
Q: What is the difference between the NICE Framework and the Cybersecurity Framework?
A: The Cybersecurity Framework or Framework for Improving Critical Infrastructure Cybersecurity (currently version 1.1) is a voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risk [the how and what of cybersecurity]. The NICE Framework (see question above) is a reference resource that describes and categorizes roles and functions [the who of cybersecurity]. Read more about connections between these two frameworks in an article featured in the NICE enewsletter or Appendix D of NIST SP 800-181.