The United States government is circulating a draft document of seven high-level categories that details descriptions, tasks, skills and job titles of IT security occupations that should help the federal government - and other public and private organization - to architect more effectively their staffs to safeguard data and systems (details of the categories are provided below).
NICE Cybersecurity Workforce Framework, from the National Initiative on Cybersecurity Education, provides detailed descriptions of the cybersecurity roles of and skills for scores of occupations, including some that might not appear to be tied to IT security.
Government agencies have been hampered in setting basic requirements, identifying skills and furnishing training to workers because of a lack of a common language to understand the work and skills required to secure IT. "There has not been a consistent way to define or describe cybersecurity work across the federal workforce," NICE Leader Ernest McDuffie said in a statement issued with the draft publication. "Other professions have organized their specialties, and now it is time for a common set of definitions for the cybersecurity workforce."
Occupational classifications for IT security within government would help simplify recruiting - recruiters would know the specific expertise to seek - and facilitate training by defining what skills need to be developed. Today, most cybersecurity professionals are classified as information technology specialists.
Karen Evans, the top IT official in the second Bush administration, said the framework will help individuals as well to "move from place to place and build upon their skills set ... due to having a common way to refer to knowledge, skills and abilities."
The publication of the cybersecurity workforce framework from NICE, an interagency effort coordinated by the National Institute of Standards and Technology, comes a year after the Commission on Cybersecurity for the 44th Presidency recommended to the federal government its own taxonomy on IT security occupations (see 9 Key Cybersecurity Roles for Government ).
Franklin Reeder, a former Office of Management and Budget executive and co-author with Evans of the commission white paper on IT security skills, said defining roles on real tasks is critical in developing IT security curriculum, creating certification programs and screening professionals. "Very different skill sets and proficiencies are required for the various roles involved in securing our cyber assets," Reeder says. "An intrusion detection analyst does very different things from, say, a software developer or a system administrator. ... Ultimately, we need a regime of screening tools and professional certifications that test proficiency, not just knowledge and skills."
The framework's seven high-level categories, each with detailed description of tasks, skills and job titles, include:
Conceptualizes, designs and builds secure IT systems, with responsibilities for some aspects of the systems' department.
- Information Assurance Compliance: Oversees, evaluates and supports the documentation, validation and accreditation processes necessary to assure that the new IT systems meets the organization's information assurance requirements. Ensures compliance.
- Software Engineering: Develops, creates and codes new or modifies existing computer applications, software and specialized utility programs.
- Enterprise Architecture: Develops the systems concerpts and works on the capabilities phases of the systems development lifecycle. Translates technology and environmental conditions such as law and regulation into system and security design and processes.
- Technology Demonstration: Conducts technology assessment and integration processes. Provides and supports a prototype capability and evaluates its utility.
- Systems Requirements Planning: Consults with customers to gather and evaluate functional requirements and translates these requirements into technical solutions. Provides guidance to customers about applicability of information systems to meet business needs.
- Test and Evaluation: Develops and conducts tests of systems compliance with specifications and requirements, applying principles and methods for cost-effective planning, evaluating, verifying and validating of technical, functional and performance characteristics, including interoperability, of systems or elements of systems incorporating IT.
- Systems Development: Work on the develop phases of the systems development lifecycle.
Provides support, administration and maintenance necessary to ensure effective and efficient IT systems performance and security.
- Data Administration: Develops and administers databases and/or data management systems that allow for the storage, query and utilization of data.
- Information Systems Security Management: Oversees the information assurance program of an information system; may include procurement duties.
- Knowledge Management: Administers processes and tools to enable the organization to identify, document and access intellectual capital and information content.
- Network Services: Installs, configures, tests, operates, maintains and managements networks and their firewalls, including hardware and software that permit the sharing and transmission of all spectrum transmissions of information to support the security of information and IT systems.
- Systems Administration: Installs, configures, troubleshoots and maintains server configurations to ensure their confidentiality, integrity and availability. Manages accounts, firewalls and patches. Responsible for access control, passwords and account creation and administration.
- Systems Security Analysis: Conducts the integration, testing, operations and maintenance of systems security.
Furnishes identification, analysis and mitigation of threats to internal IT systems and networks.
- Computer Network Defense: Uses defensive measures and information collected from a variety of sources to identify, analyze and report events that occur or might occur with the network in order to protect information, systems and networks from threats.
- Incident Response: Responds to crisis or urgent situations within the pertinent domain to mitigate immediate and potential threats. Uses mitigation, preparedness and response and recovery approaches to maximize survival of life, preservation of property and information security. Investigates and analyzes all relevant response activities.
- Computer Network Defense Infrastructure Support: Tests, implements, deploys, maintains and administers infrastructure hardware and software required to effectively manage the computer network defense service provider network and resources. Monitors network to actively remediate unauthorized activities.
- Security Program Management: Manages relevant security implications within the organization, specific program or other areas of responsibilities to include strategic, personnel, infrastructure, policy enforcement, emergency planning, security awareness and other resources.
- Vulnerability Assessment and Management: Conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk and develops and/or recommends appropriate mitigation countermeasures.
Responsible for the investigation of cyber events and/or crimes of IT systems, networks and digital evidence.
- Investigation: Applies tactics, techniques and procedures for a full range of investigative tools and processes to include, but not limited to, interview and interrogation techniques, surveillance, countersurveillance and surveillance detection, and appropriately balances the benefits of prosecution versus intelligence gathering.
- Digital Forensics: Collects, processes, preserves, analyzes and presents computer-related evidence in support of network vulnerability mitigation and/or criminal, fraud, counterintelligence or law enforcement investigations.
Accountable for the highly specialized collection of cybersecurity information that may be used to develop intelligence.
- Collection Operations: Executes collection using appropriate strategies and within the priorities established through the collection management process.
- Cyber Operations Planning: Gathers information and develops detailed operational plans and orders supporting requirements. Conducts strategic and operational-level planning across a full range of operations for integrated information and cyberspace operations.
- Cyber Operations: Uses automated tools to manage, monitor and/or execute large-scale cyber operations in response to national and tactical requirements.
Responsible for highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.
- Cyber Threat Analysis: Identifies and assesses the capabilities and activities of cyber criminals or foreign intelligence entities. Produces findings to help initialize or support law enforcement and counterintelligence investigations or activities.
- Exploitation Analysis: Analyzes collected information to identify vulnerabilities and potential exploitations.
- All-Source Intelligence: Analyzes threat information from multiple sources, disciplines and agencies across the intelligence community. Synthesizes and places intelligence information in context. Draws insights about possible implications.
- Targets: Applies knowledge of one or more regions, counties, non-state entities and/or technologies.
Provides support so that others may effectively conduct their cybersecurity work.
- Legal Advice and Advocacy: Furnishes legally sound advice and recommendations to leads and staff on various relevant topics. Advocates legal and policy changes and makes a case on behalf of client through a range of written and worl products, including legal briefs and proceedings.
- Strategic Planning and Policy Development: Applies knowledge of priorities to define an entity's direction, determine how to allocate resources and identify programs or infrastructure that are required to achieve desired goals. Develops policy or advocates for changes in policy to support new initiatives or required enhancements.
- Education and Training: Conducts training of personnel within pertinent subject domain. Develops, plans, coordinate and evaluates training courses, methods and techniques as appropriate.
NICE is accepting public comments on the draft, which can be submitted by Dec. 16 through the framework's website.