NIST Publishes National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework aka NICE Framework

NIST Cybersecurity Framework

compliments of

August 8, 2017. The National Institute of Standards and Technology (NIST) has published with an August 2017 publication date NIST Special Publication (SP) 800-181: National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. The Abstract for this publication follows:

“This publication describes the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework), a reference structure that describes the interdisciplinary nature of the cybersecurity work. It serves as a fundamental reference resource for describing and sharing information about cybersecurity work and the knowledge, skills, and abilities (KSAs) needed to complete tasks that can strengthen the cybersecurity posture of an organization. As a common, consistent lexicon that categorizes and describes cybersecurity work, the NICE Framework improves communication about how to identify, recruit, develop, and retain cybersecurity talent. The NICE Framework is a reference source from which organizations or sectors can develop additional publications or tools that meet their needs to define or provide guidance on different aspects of cybersecurity workforce development, planning, training, and education.”

The Executive Summary offers the following need for this publication:

“As threats that exploit vulnerabilities in our cyberinfrastructure grow and evolve, an integrated cybersecurity workforce must be capable of designing, developing, implementing, and maintaining defensive and offensive cyber strategies. An integrated cybersecurity workforce includes technical and nontechnical roles that are staffed with knowledgeable and experienced people. An integrated cybersecurity workforce can address the cybersecurity challenges inherent to preparing their organizations to successfully implement aspects of their missions and business processes connected to cyberspace.”

The NICE Framework provides a consistent organizational structure for addressing cybersecurity requirements and needs in seven categories (description) and specialty areas within each category (list) (see Appendices A.1 and A.2):


  • Securely Provision (SP). Conceptualizes, designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development.
    • Risk Management (RSK)
    • Software Development (DEV)
    • Systems Architecture (ARC)
    • Technology R&D (TRD)
    • Systems Requirements Planning (SRP)
    • Test and Evaluation (TST)
    • Systems Development (SYS)
  • Operate and Maintain (OM). Provides the support, administration, and maintenance necessary to ensure effective and efficient information technology (IT) system performance and security.
    • Data Administration (DTA)
    • Knowledge Management (KMG)
    • Customer Service and Technical Support (STS)
    • Network Services (NET)
    • Systems Administration (ADM)
    • Systems Analysis (ANA)
  • Oversee and Govern (OV). Provides leadership, management, direction, or development and advocacy so the organization may effectively conduct cybersecurity work.
    • Legal Advice and Advocacy (LGA)
    • Training, Education, and Awareness (TEA)
    • Cybersecurity Management (MGT)
    • Strategic Planning and Policy (SPP)
    • Executive Cyber Leadership (EXL)
    • Program/Project Management (PMA) and Acquisition
  • Protect and Defend (PR). Identifies, analyzes, and mitigates threats to internal information technology (IT) systems and/or networks.
    • Cybersecurity Defense Analysis (CDA)
    • Cybersecurity Defense Infrastructure Support (INF)
    • Incident Response (CIR)
    • Vulnerability Assessment and Management (VAM)
  • Analyze (AN). Performs highly-specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence.
    • Threat Analysis (TWA)
    • Exploitation Analysis (EXP)
    • All-Source Analysis (ASA)
    • Targets (TGT)
    • Language Analysis (LNG)
  • Collect and Operate (CO). Provides specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence.
    • Collection Operations (CLO)
    • Cyber Operational Planning (OPL)
    • Cyber Operations (OPS)
  • Investigate (IN). Investigates cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence.
    • Cyber Investigation (INV)
    • Digital Forensics (FOR)


Associated with each category and specialty area are work roles (see Appendix A.3). Here as examples are the two work roles for the Securely Provision (SP) category and Risk Management (RSK) specialty area:

  • Authorizing Official/Designating Representative. Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation.
  • Security Control Assessor. Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls.

Associated with each work role are Nice Framework:


  • Tasks, of which there are 1,007 with Task IDs ranging from T0001-T1007 (Appendix A.4).
  • Knowledge Descriptions “applied directly to the performance of a function,” of which there are 630 with KSA IDs ranging from K0001-K0630, where KSA means “knowledge, skills, and abilities” (Appendix A.5).
  • Skills Descriptions, of which there are 374 with Skill IDs ranging from S0001-S0374, where skill is defined as “the observable competence to perform a learned [mental activity]” (Appendix A.6).
  • Ability Descriptions, of which there are 176 with Ability IDs ranging from A0001-A0176, where ability is defined as “competence to perform an observable behavior or a behavior that results in an observable product” (Appendix A.7).


Appendix B combines all of the aforementioned information in providing detailed work role attributes in the following classification for each of the seven categories (Appendices B.1-B.7):


  • Work Role Name
  • Work Role ID
  • Specialty Area
  • Category
  • Work Role Description
  • Tasks by “T” ID
  • Knowledge by “K” ID
  • Skills by “S” ID
  • Abilities by “A” ID


Finally, this document provides a crosswalk that links each NICE Framework Category to the pertinent Cybersecurity Framework Core Functions: Identify (ID), Protect (PR), Detect (DE), Respond (RS), and Recover (RC) (see Appendix D.1, page 127).


For any organization focused on improving its cybersecurity capabilities, this document provides information to “determine whether one or more existing staff have the necessary skills to complete the tasks described” for an effective cybersecurity program, and, similarly, tools to evaluate the capabilities of outside vendors.



  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)