Cybersecurity Workforce Frameworks and Curricula

Article

Introduction

Cybersecurity, or information security ('infosec'), is a broad field of employment and study. There is a wide range of roles which require a variety of skills. In addition to this breadth, different topics can also require a high depth of knowledge. On top of all this, the field and corresponding skills are continually evolving as technologies and operating environments change.

This complexity makes it challenging to keep track of what skills are needed and by whom. These challenges include:

Individuals who work in the field, or want to work in the field, need to know what to learn next. They need to be able to differentiate between different training courses and certifications.
Employers who are trying to understand what skills their workforce has, what training might be required and who to recruit next.
Educators who are putting together programs and content to meet the needs of tomorrow's information security professionals.

It can be tempting to continually 'reinvent the wheel' when mapping skills to meet your needs. However, there are existing initiatives out there which can serve as a starting point for understanding and evaluating cybersecurity knowledge and skills. Sometimes your industry or geography will dictate which framework to use, other times you will need to establish which best meets your needs.

Frameworks

NICE Workforce Framework for Cybersecurity

NIST (the U.S. National Institute of Standards and Technology) have a National Initiative for Cybersecurity Education (NICE) who maintain the Workforce Framework for Cybersecurity. The NICE Framework is defined by NIST Special Publication 800-181 and has a regular schedule for reviewing and updating.

This workforce framework is made up of the work to be done (Tasks) and requirements to perform that work (Knowledge and Skills). Therefore, employers can combine Tasks to form specific job roles, whilst individuals can use Knowledge and Skills to describe what they know and what they need to learn.

The NICE Framework defines many Task, Knowledge and Skill (TKS) statements to define roles and learning opportunities. The framework is also flexible enough for employers and educators also to define additional TKS statements.

DoD Directive 8140 and DoD Directive 8570

The U.S. Department of Defence (DoD) specifies their approach to Cyberspace Workforce Management in DoD Directive 8140.01, effective from October 5 2020. Crucially, DoD 8140.01 'establishes the DoD Cyberspace Workforce Framework (DCWF) as the authoritative reference for the identification, tracking, and reporting of DoD cyberspace positions and foundation for developing enterprise baseline cyberspace workforce qualifications.' The DCWF leverages the NICE Cybersecurity Workforce framework as described above.

DoD 8570.01-M is a manual which outlines specific DoD training requirements and was last updated in 2015. There is an accompanying list of 'Approved Baseline Certifications' which meet DoD requirements at different levels.

CyBOK - The Cyber Security Body of Knowledge

CyBOK is a 'comprehensive Body of Knowledge to inform and underpin education and professional training for the cyber security sector.' The University of Bristol leads the development of CyBOK, and it is funded by the U.K.'s National Cyber Security Programme.

This body of knowledge includes thorough descriptions, podcasts and webinars for 19 different knowledge areas (such as Network Security, Forensics and Cryptography) grouped under the following categories:

Human, Organisational and Regulatory Aspects
Attacks and Defences
Software and Platform Security
Infrastructure Security

CyBOK focuses on areas not captured under other existing bodies of knowledge, such as the IEEE Software Engineering Body of Knowledge or the ACM Computer Science Curriculum. It is released under the U.K.'s Open Government License.

CIISec Information Security Frameworks

The Chartered Institute of Information Security (CIISec) is a U.K. based organisation for information security professionals. They maintain several frameworks as part of their capability methodology:

Skills Framework
Knowledge Framework
Roles Framework
Accreditation Framework

The frameworks are only accessible to CIISec members.

Published and Reference Curricula

Several institutions publish cybersecurity curricula that can help develop an understanding of the information security skills landscape. The resources available vary in their availability, licensing and recency.

ACM

The Association for Computing Machinery (ACM) published a report in 2020 (Cyber2yr2020) which outlines the competencies and learning outcomes they expect in 2-year information security degree programs.

Cyber2yr2020 builds on the 2017 curricular guidelines that ACM published as part of a 'Joint Taskforce on Cybersecurity Education': the CSEC 2017 Curricular Guidelines.

National Cyberwatch Center

The National Cyberwatch Center is a consortium of higher education institutions, businesses, and government agencies focused on developing the United States' cybersecurity workforce. Academic institutions based in the U.S. can make use of several resources maintained by the National Cyberwatch Center:

Cybersecurity Skills Journal
Cybersecurity curricula
Cloud-based labs
Student Association

NATO Reference Curriculum

In 2016, NATO published a reference cybersecurity curriculum which is available for download on their website. As you would expect, the audience for this document is members of NATO, and therefore it covers areas including:

Cyberspace and the Fundamentals of Cybersecurity
Risk Vectors
International Cybersecurity Organisations, Policies and Standards
Cybersecurity Management in the National Context

Software Engineering Institute, CMU

As well as being home to the renowned 'CERT Division', The Software Engineering Institute at Carnegie Mellon publish curricula for:

Software Assurance
Software Engineering
Survivability and Information Assurance.

Educational, commercial and government institutions may incorporate these excellent resources into their own infosec training programs.

National Cybersecurity Curriculum Program (NCCP)

The US NCCP is developed by the American National Security Agency (NSA) and is hosted online by the CLARK Center. It is a broad collection of cybersecurity learning content mapped to the NICE Workforce Framework. Various institutions contribute content on topics from malware analysis to cybersecurity legalities and policy.

Work Role Definitions

The final piece of the puzzle is bringing together cybersecurity skills in the definition of work roles. Adding this definition takes us from defining individuals and education to defining information security careers and managing the workforce. Several sources of work role definitions are listed below. However, it is important to remember that work roles and job descriptions will necessarily vary significantly depending on any given organisation's needs.

The NICE Workforce Framework includes some defined work roles and has the flexibility for organisations to define their own using the NICE knowledge, skill and task definitions.

If you work in an industrial control system (ICS) environment, the SANS Institute define several ICS job roles.

The Occupational Information Network (ONET) defines many occupations linked to cybersecurity from Digital Forensics Analysts to Penetration Testers. For each occupation, they represent tasks and detailed work activities. ONET is sponsored by the U.S. Department of Labor/Employment and Training Administration.

Finally, the U.K. government has developed a 'Security Profession Career Framework.' This framework includes both traditional security roles, such as physical and personnel security, and cyber roles. Cyber roles include mappings to CIIsec skills, recommended training, and career pathways.

Choosing the right approach

Which framework or curriculum is best will depend on your specific needs. If you are focused on mapping infosec skills between individuals, training and job roles, then the NICE Workforce Framework is likely to be a good fit. For understanding the different areas of knowledge within the cyber domain, then look at CyBOK. And if you are developing a more comprehensive education programme, start with one of the reference curricula.