Credit:
NICE
The NICE Workforce Framework for Cybersecurity (NICE Framework) has existed in one form or another for nearly 20 years. During this time, it has evolved and continues to be updated and refined to meet the changing needs of an interdisciplinary and comprehensive cybersecurity workforce. The framework is used by employers, education and training providers, consultants and other service providers, and learners in support of an integrated ecosystem of cybersecurity education, training, and workforce development.
- 2024: NICE releases version 1.0.0 of the NICE Framework Components as an Excel spreadsheet and in JSON format. This version 1.0.0 is the first release of the NICE Framework components in alignment with the 2020 SP 800-181r1 and includes updates to Work Role Categories and Work Roles as well as to the Task, Knowledge, and Skill (TKS) statements. It also includes for the first time Competency Areas. The NICE Framework Resource Center is updated to include FAQs, process information, and change logs at the same time.
- 2023: NICE publishes NIST Internal Report (NISTIR) 8355, NICE Framework Competencies: Preparing a Job-Ready Cybersecurity Workforce.
- 2022: The NICE Program Office submits the report Measuring Cybersecurity Workforce Capabilities: Defining a Proficiency Scale for the NICE Framework to Congress.
- 2021: The NIST Act (National Institute of Standards and Technology Act (15 U.S.C. 271))is amended to authorize NIST in Section 9402 (“DEVELOPMENT OF STANDARDS AND GUIDELINES FOR IMPROVING CYBERSECURITY WORKFORCE OF FEDERAL AGENCIES”) to develop standards and guidelines for improving the cybersecurity workforce of federal agencies as part of the NICE Framework. That same year NICE launches the new NICE Framework Users Group.
- 2020: The draft revision to the NICE Framework is made available for public comments and adjusted accordingly. The fourth and current version of the NICE Framework is published as NIST Special Publication 800-181 revision 1, the Workforce Framework for Cybersecurity (NICE Framework), in November 2020.
- 2019: NICE convenes a Core Authoring Team that includes representatives from numerous departments and agencies in the United States Federal Government to begin revisions to the NICE Framework in November 2019. This team receives responses from a Request for Comments and updates the NICE Framework to improve agility, flexibility, interoperability, and modularity.
- 2018: NICE releases a comparison spreadsheet of the NICE Framework Speciality Areas over time, including the early 2013 and 2014 versions as well as the first NIST SP 800-181 version published in 2017.
- 2017: The Office of the Secretary of Defense (OSD) expands on the framework document through internal engagements with service components and external engagements with the private sector. DHS and NIST co-authors work with OSD to refine their expansion, resulting in the third version of the NICE Framework, formally published for the first time as NIST Special Publication 800-181 in August 2017. This first version of NIST Special Publication 800-181, the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, emphasizes private sector applicability and reinforces the vision of the NICE Framework as a reference resource for both public and private sectors. It also introduces Work Roles for the first time.
- 2015: The Federal Cybersecurity Workforce Assessment Act of December 2015 calls upon the Federal Government to conduct workforce planning for its cyber workforce. Specifically, the Act requires agencies to:
- Identify and code positions with information technology, cybersecurity, and other cyber-related functions using the National Initiative for Cybersecurity Education (NICE) Framework; and
- Identify cybersecurity work roles of critical need and report on them annually through 2022.
- 2014: The Cybersecurity Enhancement Act of 2014 Title IV establishes the “National cybersecurity awareness and education program” to be led by NIST, thus formally establishing the NICE Program Office. This same year the DHS efforts to update the earlier Federal CIO Council framework result in a second public version of the NICE Framework, released in spreadsheet format. It retains the same structure as the earlier version, limited only to categories and specialty areas.
- 2013: The first version of the CIO Council framework (now called the “National Cybersecurity Workforce Framework”) is shifted to and published by NICE in April 2013, but is not yet a NIST special publication. At this stage, it is composed of categories, speciality areas (with example job titles), and task, knowledge, skill, and ability statements. Statements are not included for two categories: Collect and Operate, and Analyze. Work Roles and Competency Areas are not a part of this early framework model.
- 2012: The first version of the Federal CIO Council cybersecurity workforce framework is posted in September 2012. Information about its development process is published in September 2012. A subsequent U.S. government-wide review notes specific areas to be further examined and refined. The Department of Homeland Security (DHS) begins work to gather input and subsequently validate final recommendations via focus groups with subject matter experts from around the country and across industry, academia, and government.
- 2009: In May 2009, the Comprehensive National Cybersecurity Initiative, originally aimed at making the federal workforce better prepared to handle cybersecurity challenges, expands to include the private sector workforce via Initiative #8. Expand cyber education.
- 2008: The Federal Chief Information Officers (CIO) Council takes on the task to build on the DHS EBK and provide a standard framework to understand the cybersecurity roles within the federal government.
- 2007: The concept for the NICE Framework grew out of a need to define and assess the federal cybersecurity workforce. In 2007, the Department of Homeland Security forms the IT Security Essential Body of Knowledge (EBK): A Competency and Functional Framework for IT Security Workforce Development. The EBK seeks to establish a national baseline representing the essential knowledge and skills that IT security practitioners should possess.