“In cybersecurity, where things are changing all the time, you’re going to need to have experiences that aren’t necessarily formalized in a certain environment yet,” Wetzel says.
“Having a framework that can demonstrate what those capabilities are and having people be able to express how they are able to apply those capabilities is really useful, particularly when we have need for so many people in this field.”
At a recent CISA hiring fair, Karas says, he came in to “triage” by looking at candidates’ resumes, figuring out the positions that best suited them and sending them to the proper hiring managers. NICE enables IT leaders to better understand the strengths of prospective employees.
“When somebody says, ‘I need a cyberdefense analyst,’ everybody knows what they need, or it sets the playing field level,” Karas says. “So, we know what we’re all talking about now.”
The NICE Framework also supports cybersecurity career development in grade school and high school by giving educators the proper language to prepare students with interest and talent to feed into the future workforce. The National Cyber League provides virtual training and competitive challenges for high school and college students on platforms derived from NICE guidelines.
DIVE DEEPER: Learn how federal agencies can benefit from a diverse IT staff.
How Does the NICE Framework Benefit Federal Agencies?
The NICE Framework includes assessment features to make sure cyber employees meet performance standards and determine if they might better fill gaps in other areas. It also helps agencies prepare for security risks to come and the workforce they’ll need down the road.
“You can make sure that you’re bringing in candidates who are going to be able to do this work and that you’re going to be able to assess them accordingly,” Wetzel says. “You then have stronger candidates, because they’re able to see themselves in those jobs, and agencies can have stronger hires. That helps with things like retention.”
The U.S. government has played catch-up with cybersecurity for decades, says John Pescatore, director of emerging security trends for the SANS Institute, an information security cooperative that provides education, certification and other resources to cyber professionals.
“We need so many security people because so many IT systems are built badly from a security standpoint,” Pescatore says. “It’s not like security comes along and opens a bottle of magic security sauce and pours it on things. Quite often, the old legacy systems have to be redone.”
The COVID-19 pandemic and subsequent shift to remote work accelerated the push toward zero-trust environments and multifactor authentication, and the NICE Framework helps federal agencies address the inherent security risks, he says. The cloud and the Internet of Things have moved security needs from centralized buildings to every possible endpoint, Pescatore says.
Wetzel acknowledges that future NICE revisions will incorporate changing trends. If agencies express a need to delineate zero-trust skills, NIST can add those to the framework.
Cloud security is one area that NICE is likely to address with more focus, Wetzel says. Artificial intelligence is another.
“We’re not going to say the NICE Framework is done,” Wetzel says. “It is going to be constantly evolving and being adjusted in order to meet needs.”