The NICE Framework is a living document that is updated periodically based on change requests to the NICE Program Office. NICE will consider recommendations (change requests) for expansion, update/correction, withdrawal, or integration of NICE Framework components using the process described below. These recommendations allow the Framework to continue to serve as a fundamental reference for describing and sharing information about cybersecurity work, workforce, training, and education, as well as the knowledge, skills, and abilities (KSAs) needed to complete cybersecurity tasks and responsibilities.
Drawing on public and private sector input, NICE works to achieve consensus on the change requests balancing the need for periodic change and the need for a stable framework. This approach will ensure that the NICE Framework continues to be a reference resource to support a workforce capable of meeting an organization’s cybersecurity needs.
Section 1.1 below describes the process a change requests will undergo. Section 1.2 below lists the type of information that should accompany the change requests.
CHANGE REQUEST PROCESS
The following text describes the general change request process, illustrated in Figure 1, below:
A NICE Framework user who sees a potential change to the NICE Framework content may submit a change request electronically at any time by email to: niceframework [at] nist.gov (niceframework[at]nist[dot]gov). (See Section 1.2 for guidance on the content to include with a change request.)
The NICE Program Office will acknowledge receipt of the change request.
The NICE Program Office will perform a preliminary review of the change request to confirm that the request is clear and contains relevant, supporting content. Incomplete change requests will be returned to the submitter with feedback.
Complete change requests will be evaluated for their applicability to the NICE Framework. Some change requests will be relevant to the overall ecosystem of cybersecurity education, training, and workforce development, but not directly relevant to the content of the NICE Framework. Such change requests will be noted in the NICE Framework Denied Request Log with an explanation for the denial. The Denied Request Log supports transparency and helps inform users about changes that have already been considered or identifies when a change requests is duplicative of existing material in the NICE Framework. Change requests deemed complete and applicable will move to step 5.
If the change request is an administrative adjustment, such as to correct a minor error, the change will occur immediately and will be recorded in the NICE Framework Change Log shown below. The change will be made to the appropriate tables in the NICE Framework and the reference materials posted on the NICE Framework website.
Applicable, non-administrative change requests will be reviewed by the NICE Framework Change Panel, a panel of cyber skills subject matter experts. The panel may ask NICE to seek more public development for some change requests using a repository for the NICE Framework on NIST’s GitHub site. Approved changes will be noted in the NICE Framework Change Log and those changes will be made to the appropriate tables in the NICE Framework and the reference materials posted on the NICE Framework website. The Denied Change Log will be updated when a change request is denied.
Figure 1. NICE Framework Change Request Process
GUIDANCE FOR CHANGE REQUEST CONTENT
The change request provides an opportunity to indicate the rationale for the request and to provide additional information regarding its impact and timeliness.
Please submit the required information below for each type of change.
Add Task – Recommended task description, rationale for addition and applicable Work Role(s) where the task should be listed
Change Task – Current Task ID, Updated task description, rationale for change and applicable Work Roles(s) where the task should be listed
Delete Task – Rationale for deletion
Add KSA – Recommended KSA description and identification of Work Role(s) in which the KSA should be listed
Change KSA – Current KSA ID, recommended KSA description and rationale for change
Delete KSA – KSA ID and rationale for deletion
Add Work Role – Recommended description and recommended Specialty Area in which Work Role fits
Change Work Role – Work Role ID, rationale for change and a listing of KSA(s) and Task(s) affected. If applicable, rationale for moving the changed Work Role to a different Specialty Area
Delete Work Role – Work Role ID and rationale for deletion
The NICE Program Office will maintain an ongoing record both of changes accepted and implemented (the Change Log) and of change requests that were not implemented (the Denied Change Log). Users are encouraged to review these logs before submitting their requests.