Identifying Proficiency: NICE Framework Work Roles & Levels of Responsibility

Proficiency can be measured in many ways, with a wide variety of scales and assessment methods. It can look very different depending on the context, and there are numerous examples of existing models to pull from.

The NICE Workforce Framework for Cybersecurity (NICE Framework) defines a common structure and language to describe cybersecurity work and the knowledge and skills individuals must possess to effectively complete that work. Importantly, the NICE Framework describes cybersecurity work in a workplace context. That is, its content reflects work that is being conducted in real-life cybersecurity jobs. Because of this, it is important to define a proficiency scale in that context.

Credit: SFIA

View the NICE Framework Work Roles to SFIA Levels of Responsibility PDF

Levels of Responsibility

In 2022, NICE published a report to Congress on “Measuring Cybersecurity Workforce Capabilities: Defining a Proficiency Scale for the NICE Framework.” When considering existing models, one stood out as particularly promising—the SFIA Levels of Responsibility. SFIA is an internationally recognized skills framework used by “individuals and organisations wishing to enhance their digital and information technology skills and competencies.” The NICE Framework and SFIA framework are complementary—skills described in SFIA include areas such as cybersecurity, software engineering, enterprise IT, cloud, and data—content that is also represented in the NICE Framework. SFIA and NICE users frequently ask about using SFIA and NICE together, particularly for workforce development needs, and a mapping between the two frameworks is available.

Credit: SFIA

The SFIA levels of responsibility are a type of proficiency scale that represents increasing expertise and responsibility in professional roles at seven levels. The levels focus on the impact required by a role or required by a person in that role in the workplace. It can be used to determine workplace proficiency: to be effective in a role, you must be able to perform that role at the required level of impact. This approach:

• Emphasizes practical skills and work experience rather than solely academic knowledge or time in the field.
• Aligns work roles with present-day cybersecurity demands, ensuring that practitioners at all levels have the necessary expertise to combat cyber threats.
• Supports assessment of both actual capabilities and developmental potential.
• Visualizes career progression through increasing workplace impact.
• Promotes targeted professional development.

Each level is designed to be:

• Progressive: Builds on the previous level’s requirements
• Distinct: Clearly differentiated from adjacent levels
• Consistent: Uses uniform criteria across all Work Roles

The 2022 report recommended that NICE establish a workplace-focused NICE Framework proficiency scale modeled after the SFIA levels, an approach that is supported by the history of collaboration between the two organizations. As a result, NICE and SFIA have engaged together to map the NICE Framework Work Roles to the SFIA Levels of Responsibility to determining what levels each Work Role typically performs.

Using the Work Roles & Levels of Responsibility

• Career Discovery: Are you interested in learning more about a Work Role and what a job in that role might look like? NICE Framework Work Role Levels help individuals get a clearer picture about where a Work Role might fit in an organization and how it might shift over time, depending on what level it performs.
• Career Pathways: Are you just starting in your career, or maybe shifting into a role with cybersecurity responsibilities mid-career? Or it could be that you are already working in cybersecurity but want to plan your future. Exploring the NICE Framework Work Role Levels will help you find paths to the role and level you want.
• Workforce Planning and Hiring: Understanding NICE Framework Work Role Levels provides insights into what impact someone might have in an organization. It can help you create better job announcements, assess candidate capabilities, and support workforce training and development.