The Workforce Framework for Cybersecurity (NICE Framework), NIST Special Publication (SP) 800-181 revision 1, is a nationally focused resource that categorizes and describes cybersecurity work. It is used for career discovery, education and training, tools and services, and in hiring and career development. The NICE Framework is implemented in public and private sectors and across various industries. The NICE Framework Resource Center offers various resources to learn more about it and point you to tools and helpful guides and links so you can get started implementing and using it.
The NICE Framework was published as NIST Special Publication 800-181 revision 1 in November of 2020. The NICE Framework components – Work Role Categories, Work Roles, Competency Areas, and Task, Knowledge, and Skill (TKS) statements – are maintained separately for regular review and updates. A full update of NICE Framework components (version 1.0.0) was released in March 2024. To learn more about additional planned updates, to suggest new updates, or to comment on proposed changes, visit the NICE Framework Resource Center.
The Workforce Framework for Cybersecurity (NICE Framework), NIST Special Publication (SP) 800-181 revision 1 is presently published as a PDF document. The NICE Framework components – Work Role Categories, Work Roles, Competency Areas, and Task, Knowledge, and Skill (TKS) statements – are maintained separately as a spreadsheet and in machine-readable JSON format. To access these resources, including translations, visit the NICE Framework Resource Center.
The NICE Framework is intended to be adopted across industries and sectors. It has been developed to be broadly applicable to multiple sectors and is void of reference to specific tools and products. Additionally, application of the NICE Framework is meant to be flexible – for example, the number of Work Roles in any one organization will depend on the organization’s size and scope.
That said, NICE is exploring the development of industry-specific profiles to help organizations and individuals better understand how the framework can be used in their particular field of work. If you are interested in supporting the development of such profiles, please contact us at NICEFramework [at] nist.gov (NICEFramework[at]nist[dot]gov).
The NICE Framework focuses on Work Roles – groups of tasks that an individual or team is responsible for – instead of jobs. A single job may be responsible for more than one Work Role, or only a portion of a single Work Role, depending on the organization and the job. In exploring the NICE Framework you may not find a single Work Role that fully describes the cybersecurity work you perform.
In addition, the NICE Framework focuses on areas of cybersecurity work that are broadly applicable to many organizations. Your job may be unique – whether because it represents an emerging area of work that isn’t mature enough to be defined as a Work Role yet, or because it is a niche job or in a narrow field that precludes it from being included in the NICE Framework. For emerging areas, the NICE Framework may represent the knowledge and skills needed for that domain as a Competency Area, which may later evolve into a consistent Work Role. Competency Areas may also describe areas that are defined by Knowledge, Skills, and Tasks from several Work Roles.
Finally, it may be that your area of work is simply a gap area for the NICE Framework. NICE is working to develop new Competency Areas and Work Roles to add to the framework; if you have a suggestion for a new area of work that you believe should be represented in the NICE Framework – or if an existing Work Role or Competency Area should be updated – please let us know. Information on how to request a modification to the NICE Framework can be found on our change requests FAQ.
In 2022 NICE prepared a report for Congress on Measuring Cybersecurity Workforce Capabilities: Defining a Proficiency Scale for the NICE Framework. This report discusses proficiency levels broadly to provide overall context and clarity, points to various extant models, summarizes findings regarding existing efforts to assess proficiency in the workforces of both the public and private sector, and provides recommendations for effective methods for measuring the cybersecurity proficiency of learners. NICE aims to develop a proficiency scale that can be used to apply to NICE Framework Work Roles and Competency Areas to release for comment in 2024.
The NICE Framework and its components are intended to be updated periodically. These updates might include the addition of new content, deprecation of outdated content, and revisions to existing content. NICE considers recommendations (change requests) for expansion, update/correction, withdrawal, or integration of NICE Framework components via the process described on the NICE Framework Revisions web page. Information on how to make change requests can be found on the NICE Framework Change Requests FAQ.
In addition, the NICE Framework Users Group serves as an excellent place for sharing ideas, asking questions, and making suggestions regarding the NICE Framework. Learn more about how to engage.
The NIST Cybersecurity Framework (CSF) or Framework for Improving Critical Infrastructure Cybersecurity is a voluntary framework consisting of standards, guidelines, and best practices to manage cybersecurity-related risk. Where the CSF describes what an organization should do in order to support key cybersecurity functions, including some information about how, the NICE Framework is then used to provide more detail on how that work is done, who is responsible, and what knowledge and skills are needed to conduct those activities. Read more about connections between these two frameworks in a 2018 NICE article and Appendix D of NIST SP 800-181.
Yes! Learn more in our K12 FAQ.