1 Draft NIST Special Publication 800-181 3 NICE Cybersecurity Workforce Framework NCWF 4 National Initiative for Cybersecurity Education NICE 2 5 6 7 8 9 10 11 12 13 14 15 Bill Newhouse Stephanie Keith Benjamin Scribner Greg Witte 16 Draft NIST Special Publication 800-181 18 NICE Cybersecurity Workforce Framework NCWF 19 National Initiative for Cybersecurity Education NICE 20 21 22 Bill Newhouse Applied Cybersecurity Division Information Technology Laboratory 23 24 25 Stephanie Keith Cyber Workforce Strategy Policy Division Office of the Deputy DoD Chief Information Officer 26 27 28 Benjamin Scribner Cyber Education and Awareness Branch DHS National Protection and Programs Directorate 29 30 31 32 33 34 35 36 Greg Witte G2 Inc Annapolis Junction MD 17 37 38 39 40 41 42 43 44 November 2016 U S Department of Commerce Penny Pritzker Secretary National Institute of Standards and Technology Willie May Under Secretary of Commerce for Standards and Technology and Director 45 Authority 46 47 48 49 50 51 52 This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act FISMA of 2014 44 U S C § 3551 et seq Public Law P L 113-283 NIST is responsible for developing information security standards and guidelines including minimum requirements for federal information systems but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems This guideline is consistent with the requirements of the Office of Management and Budget OMB Circular A-130 53 54 55 56 57 58 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce Director of the OMB or any other federal official This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States Attribution would however be appreciated by NIST 59 60 61 National Institute of Standards and Technology Special Publication 800-181 Natl Inst Stand Technol Spec Publ 800-181 130 pages November 2016 CODEN NSPUE2 62 63 64 65 66 67 68 69 70 71 72 73 74 75 Certain commercial entities equipment or materials may be identified in this document in order to describe an experimental procedure or concept adequately Such identification is not intended to imply recommendation or endorsement by NIST nor is it intended to imply that the entities materials or equipment are necessarily the best available for the purpose 76 77 78 79 80 Public comment period November 2 2016 through January 6 2017 81 All comments are subject to release under the Freedom of Information Act FOIA There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities The information in this publication including concepts and methodologies may be used by federal agencies even before the completion of such companion publications Thus until each publication is completed current requirements guidelines and procedures where they exist remain operative For planning and transition purposes federal agencies may wish to closely follow the development of these new publications by NIST Organizations are encouraged to review all draft publications during public comment periods and provide feedback to NIST Many NIST cybersecurity publications other than the ones noted above are available at http csrc nist gov publications National Institute of Standards and Technology Attn Applied Cybersecurity Division Information Technology Laboratory 100 Bureau Drive Mail Stop 2002 Gaithersburg MD 20899-2002 Email ncwf@nist gov NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 82 Reports on Computer Systems Technology 83 84 85 86 87 88 89 90 91 92 The Information Technology Laboratory ITL at the National Institute of Standards and Technology NIST promotes the U S economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure ITL develops tests test methods reference data proof of concept implementations and technical analyses to advance the development and productive use of information technology ITL’s responsibilities include the development of management administrative technical and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems The Special Publication 800-series reports on ITL’s research guidelines and outreach efforts in information system security and its collaborative activities with industry government and academic organizations 93 Abstract 94 95 96 97 98 99 100 101 102 This publication describes the NICE Cybersecurity Workforce Framework NCWF the product of many years of collaboration regarding workforce training and education NCWF provides a fundamental reference resource for describing and sharing information about cybersecurity work roles the discrete tasks performed by staff within those roles and the knowledge skills and abilities KSAs needed to complete the tasks successfully As a common consistent lexicon that categorizes and describes cybersecurity work the NCWF improves communication about how to identify recruit develop and retain cybersecurity talent The NCWF is a resource from which organizations or sectors can develop additional publications or tools focused on defining or providing guidance on aspects of workforce development planning training and education 103 Keywords 104 Ability cybersecurity cyberspace education knowledge role skill task training work role ii NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 105 Acknowledgements 106 107 108 109 110 111 112 113 The authors gratefully acknowledge and appreciate the significant contributions from individuals and organizations in the public and private sectors whose thoughtful and constructive comments improved the overall quality thoroughness and usefulness of this publication We appreciate the leadership and work of Rodney Petersen Director of the National Initiative for Cybersecurity Education NICE at the National Institute of Standards and Technology NIST In particular we also wish to thank Lynne Clarke Ryan Farr Jodi Guss Lori Pfannenstein Kevin SanchezCherry Danielle Santos Stephanie Shively Matt Smith Bluma Sussman Baris Yakin Onika Williams and Montana Williams for their individual contributions to this publication 114 115 116 117 The first NCWF was posted for public comment in September of 2012 and published in April 2013 as NCWF version 1 0 1 The authors wish to recognize Dr Jane Homeyer Anne Quigley Rex Min Maya Yankelevich and Peggy Maxson for leading its development and we wish to recognize Roy Burgess for his leadership in the development of NCWF version 2 0 2 118 119 120 121 122 Finally the authors also respectfully acknowledge the seminal work in computer security that dates back to the 1960s The vision insights and dedicated efforts of those early pioneers in computer security serve as the philosophical and technical foundation for the tasks knowledge skills and abilities noted in this publication to address the critically important problem of cybersecurity workforce 123 Note to Reviewers 124 125 126 127 128 With the continuing frequency intensity and adverse consequences of cybersecurity attacks disruptions hazards and threats to federal state and local governments the military businesses industry and critical infrastructure the need for a workforce prepared to deploy provide maintain and develop the requisite cybersecurity has never been more important to the economic and national security interests of the United States - Bill Newhouse Deputy Director NICE 129 Trademark Information 130 All trademarks or registered trademarks belong to their respective organizations iii NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 131 Executive Summary 132 133 134 135 136 137 138 139 The National Initiative for Cybersecurity Education NICE led by the National Institute of Standards and Technology NIST in the U S Department of Commerce is a partnership between government academia and the private sector working to energize and promote a robust network and an ecosystem of cybersecurity education training and workforce development NICE fulfills this mission by coordinating with government academic and industry partners to build on existing successful programs facilitate change and innovation and bring leadership and vision to increase the number of skilled cybersecurity professionals helping to keep our nation secure 140 141 142 143 144 145 NICE is committed to cultivating an integrated cybersecurity workforce that is globally competitive from hire to retire prepared to protect our nation from existing and emerging cybersecurity challenges Despite increasing awareness and global focus on cybersecurity many managers report a shortage of skilled cybersecurity workers and need assistance with hiring qualified staff to fill critical security gaps To address these needs this publication describes the NICE Cybersecurity Workforce Framework NCWF 146 147 148 149 150 151 152 As the threats to cybersecurity and the protections implemented grow and evolve a cybersecurity workforce must be prepared to adapt design develop implement maintain measure and understand all aspects of cybersecurity A cybersecurity workforce includes not only technically focused staff but those who apply knowledge of cybersecurity and its inherent challenges when preparing their organization to successfully implement its mission A knowledgeable and skilled cybersecurity workforce can implement and maintain protections and take actions to meet our nation’s needs 153 154 155 156 157 158 159 160 This publication serves as a fundamental reference to support a workforce capable of meeting an organization’s cybersecurity needs It describes how the NCWF provides organizations with a common consistent lexicon to categorize and describe cybersecurity work The document defines the NCWF components namely Categories Specialty Areas and Work Roles Finally it describes a superset of cybersecurity Tasks for each work role and the Knowledge Skills and Abilities KSAs demonstrated by a person whose cybersecurity position includes each work role Based upon these components the common lexicon provided by the NCWF enables consistent organization and communication about cybersecurity work 161 162 163 164 165 166 The NCWF can be viewed as a cybersecurity workforce dictionary and consumers of the NCWF can reference it for different workforce development education and or training purposes For instance it provides a starting point and helps set standards for developing academic pathways career pathways position descriptions and training content The NCWF helps to ensure our nation is able to educate recruit train develop and retain a highly qualified cybersecurity workforce It serves several key audiences within the cybersecurity community including 167 168 • Employers to help assess their cybersecurity workforce identify critical gaps in cybersecurity staffing and improve position descriptions 169 170 • Current and future employees to help explore Tasks and Work Roles and assist with understanding the KSAs that are being valued by employers for in-demand cybersecurity iv NIST SP 800-181 DRAFT 171 172 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF jobs and positions The NCWF also enables staffing specialists and guidance counselors to use the NCWF as a resource to support these employees or job seekers 173 174 • Training and certification providers who desire to help current and future members of the cybersecurity workforce gain and demonstrate the KSAs 175 176 • Education providers who may use the NCWF as a reference to develop curriculum courses seminars and research that cover the KSAs and Tasks described and 177 178 • Technology providers who can identify cybersecurity Work Roles and specific Tasks and KSAs associated with services and hardware software products they supply 179 180 181 As a mechanism to organize information technology IT cybersecurity and cyber-related work the NCWF helps organizations to organize roles and responsibilities through the following components 182 • Categories – A high-level grouping of common cybersecurity functions 183 • Specialty Areas – Distinct areas of cybersecurity work 184 185 • Work Roles – The most detailed groupings of IT cybersecurity or cyber-related work which include specific knowledge skills and abilities required to perform a set of tasks 186 187 • Tasks – Specific work activities that could be assigned to a professional working in one of the NCWF’s Work Roles and 188 189 190 • Knowledge Skills and Abilities KSAs – Attributes required to perform Tasks generally demonstrated through relevant experience or performance-based education and training 191 192 193 194 195 196 The NCWF components work together to describe the range of cybersecurity work from a high level to the very granular Each Category contains Specialty Areas each of which contains one or more Work Roles Each Work Role is composed of numerous Tasks and KSAs Providing this range of detail helps organizations to systematically build their cybersecurity workforce which in turn enables improved performance cost-effective workforce management and continuous readiness 197 198 199 While some of the NCWF is based on federal government programs any organization with cybersecurity workforce needs will benefit from the standards described and can customize the NCWF as needed 200 201 202 203 204 205 206 207 208 Using the NCWF as described above will help strengthen an organization’s cybersecurity workforce Investment in the existing workforce such as through initiatives focused on training and retaining existing talent will help the organization to prepare for and realize its risk management objectives The common language provided by the NCWF also helps bridge workforce needs to external frameworks such as the Cybersecurity Framework CSF 3 the U S Department of Labor Competency Models 4 the U S Department of Education Employability Skills Framework 5 and the National Security Agency NSA Department of Homeland Security DHS National Centers of Academic Excellence in Cyber Defense CAECD Knowledge Units 6 v NIST SP 800-181 DRAFT 209 210 211 212 213 214 215 216 217 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF The NCWF builds upon decades of industry research into how to effectively manage the risks to valuable organizational electronic and physical information Cybersecurity tactics are everchanging always identifying new ways to gain information advantage through technology As we evolve the ways we perform cybersecurity functions continue to evolve as must the components of the NCWF As part of an ongoing collaborative approach NICE will periodically consider recommendations received and will update the NCWF publication s Additionally new reference materials or tools will be developed to cross-reference elements of the NCWF To the extent possible digital reference materials will be posted to the NICE website as an aid to applying and utilizing NCWF and associated materials vi NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 218 Table of Contents 219 Executive Summary iv 220 1 Introduction 1 221 1 1 NCWF Background 2 222 1 2 Purpose and Applicability 3 223 1 3 Audience NCWF Consumers 3 224 1 3 1 Employers 3 225 1 3 2 Current and Future Cybersecurity Workers 5 226 1 3 3 Educators Trainers 5 227 1 3 4 Technology Providers 5 228 1 4 Organization of this Special Publication 5 229 2 NCWF Components and Relationships 7 230 2 1 Components of the NCWF 7 231 2 1 1 Categories 7 232 2 1 2 Specialty Areas 7 233 2 1 3 Work Roles 7 234 2 1 4 Tasks 7 235 2 1 5 Knowledge Skills and Abilities 7 236 2 2 NCWF Component Relationships 8 237 3 Applying the NCWF 9 238 3 1 Identification of Cybersecurity Workforce Needs 9 239 3 2 Education and Training of Cybersecurity Workforce Members 10 240 3 3 Recruitment and Hiring of Highly Skilled Cybersecurity Talent 10 241 3 4 Retention and Development of Highly Skilled Cybersecurity Talent 11 242 3 5 Cybersecurity Framework CSF 12 243 3 5 1 Example Integration of CSF with NCWF 14 244 245 4 Future Revision Process 17 4 1 Additional Concepts for Future Consideration 17 246 247 List of Appendices 248 Appendix A— Listing of NCWF Elements 19 249 A 1 NCWF Workforce Categories 19 250 A 2 NCWF Specialty Areas 20 vii NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 251 A 3 NCWF Work Roles 24 252 A 4 NCWF Work Role Tasks 31 253 A 5 NCWF Knowledge Descriptions 63 254 A 6 NCWF Skills Descriptions 82 255 A 7 NCWF Ability Descriptions 92 256 Appendix B— Work Role Detail Listing 96 257 Appendix C— Acronyms 117 258 Appendix D— References 119 259 260 List of Tables 261 Table 1 - Crosswalk of NCWF Workforce Categories to CSF Functions 14 262 Table 2 - NCWF Workforce Categories 19 263 Table 3 - NCWF Specialty Areas 20 264 Table 4 - NCWF Work Roles 24 265 Table 5 - NCWF Work Role Tasks 31 266 Table 6 - NCWF Knowledge Descriptions 63 267 Table 7 - NCWF Skills Descriptions 82 268 Table 8 - NCWF Ability Descriptions 92 269 viii NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 270 1 Introduction 271 272 273 274 275 276 277 278 The National Initiative for Cybersecurity Education NICE led by the National Institute of Standards and Technology NIST in the U S Department of Commerce is a partnership between government academia and the private sector working to energize and promote a robust network and an ecosystem of cybersecurity education training and workforce development NICE fulfills this mission by coordinating with government academic and industry partners to build on existing successful programs facilitate change and innovation and bring leadership and vision to increase the number of skilled cybersecurity professionals helping to keep our nation secure 279 280 281 NICE is committed to cultivating an integrated cybersecurity workforce that is globally competitive from hire to retire prepared to protect our nation from existing and emerging cybersecurity challenges 282 283 284 285 286 287 288 289 290 291 292 There are national activities that focus on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes A skilled cybersecurity workforce is needed to meet the unique cybersecurity needs of critical infrastructure enterprise and operational technology systems and networks As the threats to cybersecurity and the protections implemented grow and evolve a cybersecurity workforce must be prepared to adapt design develop implement maintain measure and understand all aspects of cybersecurity A cybersecurity workforce includes not only technically focused staff but those who apply knowledge of cybersecurity and its inherent challenges when preparing their organization to successfully implement its mission A knowledgeable and skilled cybersecurity workforce can implement and maintain the protections and take actions to meet our nation’s needs 293 294 295 296 297 298 299 Today’s systems and networks are complex assemblages of technology i e hardware software and firmware processes and people working together to provide organizations with the capability to process store and transmit information in a timely more secure manner to support various missions and business functions The degree to which organizations have come to depend upon these systems and networks to conduct routine important and critical missions and business functions means that the protection of the underlying systems and environments of operation is paramount to the success of the organization 300 301 302 303 304 305 306 The selection of appropriate security and privacy controls for information systems continues to be an important task that can have significant implications on the operations and assets of an organization as well as the welfare of individuals Finding qualified individuals with the Knowledge Skills And Abilities KSAs who can select maintain assess implement and upgrade the appropriate security and privacy controls is a challenge being addressed by more and more organizations who now understand that cybersecurity risks need to be addressed by a capable and ready cybersecurity workforce 307 308 309 310 Understanding how to develop and maintain a workforce that allows an organization to focus on the cybersecurity risks to its operations and assets to individuals to other organizations and to the nation is vital A prepared cybersecurity workforce is also essential in a globally interconnected digital information and communications infrastructure that underpins almost 1 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 311 312 every facet of modern society and provides critical support for the U S economy civil infrastructure public safety and national security 313 1 1 314 315 316 317 318 319 The concept for the NCWF began before the establishment of NICE and grew out of the recognition that the cybersecurity workforce federal and private industry could not be measured and that the roles needed to support our nation’s cybersecurity were undefined To combat this challenge the Federal Chief Information Officers CIO Council was tasked in 2008 to provide a standard framework to understand the cybersecurity roles within the federal government 320 321 322 In 2008 the Federal CIO Council produced a research report that referenced where other information technology professional development efforts were also under way and specific roles were identified as needed by agencies to conduct cybersecurity work 323 324 325 In 2011 thirteen roles were identified and published by the Federal CIO Council This content was created with input from focus groups with subject-matter experts from numerous federal agencies 326 327 328 329 330 331 Building on this work the first version of the NCWF was posted for public comment in September 2011 The comments were incorporated into a version that became the basis of cybersecurity functional codes by the Office of Personnel Management OPM in 2013 Use of these codes enabled federal agencies to identify the cybersecurity workforce determine baseline capabilities examine hiring trends identify skill gaps and more effectively recruit hire develop and retain a valuable cybersecurity workforce 332 333 334 335 A government-wide review of that first version of the NCWF provided an opportunity for other organizations to comment and recommend edits The Department of Homeland Security DHS analyzed this input and validated final recommendations via focus groups with subject-matter experts from around the country and across private industry academia and government 336 337 338 A key focus of DHS’ focus groups was to gather equal input across industry sectors to ensure that the NCWF is applicable across the nation and not just to government agencies The resulting second version of the NCWF was drafted validated and published in 2014 339 340 341 342 343 Since 2014 the Department of Defense DoD further refined the NCWF and added the Work Roles – which are provided for the first time in this publication – to add more specificity and to help organizations better associate cybersecurity positions with the NCWF DoD developed the Work Roles with input from private industry and government and DHS refined them to ensure private sector and civilian government applicability NCWF Background 2 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 344 1 2 345 346 The purpose of this publication is to provide a fundamental reference resource to support a workforce capable of meeting an organization’s cybersecurity needs by Purpose and Applicability 347 348 • Providing organizations with a common consistent lexicon that categorizes and describes cybersecurity work 349 350 • Organizing cybersecurity work into seven high-level Categories and over 50 Work Roles within those seven Categories 351 • Offering a superset of Tasks for each Work Role and 352 • Offering a superset list of Knowledge Skills and Abilities KSAs for each work role 353 354 355 356 Using the NCWF as a reference resource will improve the communication about cybersecurity needed to identify recruit and develop talent The NCWF will allow employers to use more focused consistent language in professional development programs in their use of industry certifications and in their selection of relevant training opportunities for their workforce 357 358 359 360 The NCWF facilitates the use of a more consistent comparable and repeatable approach to select and specify cybersecurity roles for positions within organizations It also provides a common lexicon that academic institutions can use to develop cybersecurity curricula that better prepares students for current and anticipated cybersecurity workforce needs 361 362 363 364 365 366 367 The application of the NCWF as a resource is meant to offer the ability to describe all cybersecurity work An applicability goal of the NCWF is that any cybersecurity job or position can be described by identifying the relevant components identified within the NCWF Context of the mission or business processes being supported by that job or position will drive which components are selected from within the NCWF This document does not seek to provide a definition of cybersecurity since the use of that term varies depending upon an organization’s mission or business context 368 369 370 The NCWF is a resource from which organizations or sectors can develop additional publications or tools focused on defining or providing guidance on aspects of workforce development planning training and education 371 1 3 372 373 374 375 The NCWF can be viewed as a cybersecurity workforce dictionary and consumers of the NCWF will reference it for different workforce development education or training purposes The NCWF is an essential resource that will help to ensure that our nation can educate recruit train develop and retain a highly qualified cybersecurity workforce 376 1 3 1 377 378 379 Use of the common lexicon within the NCWF enables employers to establish standards for inventorying and developing their cybersecurity workforce The NCWF can be used by employers and organizational leadership to Audience NCWF Consumers Employers 3 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 380 381 • Inventory and track their cybersecurity workforce to gain a greater understanding of the strengths and gaps in Knowledge Skills and Abilities and Tasks performed 382 383 • Identify training and qualification requirements to develop critical Knowledge Skills and Abilities to perform cybersecurity Tasks 384 385 • Improve position descriptions and job vacancy announcements by using specific Work Roles from the NCWF and selecting relevant KSAs and Tasks and 386 387 • Identify the most relevant Work Roles and develop career paths to guide staff in gaining the requisite skills for those roles 388 Figure 1 illustrates how the NCWF helps to build a strong cybersecurity workforce 389 390 391 392 Figure 1 - Building Blocks for a Capable and Ready Cybersecurity Workforce As shown several key inputs improve the benefits and value of the NCWF for a capable and ready cybersecurity workforce 393 394 • A common lexicon supports consistent use of terminology by educators employers and employees 395 396 397 398 • Criticality Analysis helps to identify those Tasks and KSAs that form a baseline set i e that are key to multiple Work Roles or to specific role-based training The analysis also helps identify those Tasks and KSAs that are critical for successful performance with a given Work Role 399 400 401 402 403 404 • Proficiency Analysis supports understanding of the expectation of the level to which a person in a Work Role exhibits the KSAs described For example someone in a given Work Role may exhibit varied understanding and ability as that worker progresses from entry-level to expert Proficiency considerations are an important workforce consideration and are included in the additional concepts for future consideration in the NCWF as described in Section 4 1 4 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 405 1 3 2 406 407 408 409 410 411 The NCWF supports those in the cybersecurity field and those who might wish to enter the cybersecurity field to explore Tasks within cybersecurity Categories and Work Roles It also assists those who support these workers such as staffing specialists and guidance counselors to help job seekers and students understand which cybersecurity Work Roles and which associated Knowledge Skills and Abilities are being valued by employers for in-demand cybersecurity jobs and positions 412 413 414 These workers are further supported when vacancy announcements and open position descriptions use the common lexicon of the NCWF providing clear and consistent descriptions of the cybersecurity tasks and training that are likely to be needed for those positions 415 416 417 418 419 420 421 422 When training providers and industry certification providers use the common lexicon of the NCWF those in the cybersecurity field or those who might wish to enter the cybersecurity field can find training and or certification providers that can help them learn the tasks necessary to secure a cybersecurity job or to progress into new positions Use of the common lexicon helps students and professionals to obtain KSAs that are typically demonstrated by a person whose cybersecurity position includes a given Work Role This understanding helps them seek out academic programs that include learning outcomes and knowledge units that map to the KSAs and Tasks that are valued by employers 423 1 3 3 424 425 426 The NCWF provides a reference for educators to develop curriculum training programs courses seminars and exercises or challenges that cover the KSAs and Tasks described in the NCWF 427 428 Staffing specialists and guidance counselors can use the NCWF as a resource for career exploration 429 1 3 4 430 431 The NCWF allows a technology provider to identify the cybersecurity Work Roles and the Tasks and KSAs associated with hardware and software products and services they provide 432 1 4 433 The remainder of this special publication is organized as follows Current and Future Cybersecurity Workers Educators Trainers Technology Providers Organization of this Special Publication 434 435 436 • Chapter Two defines the components of the NCWF i Categories ii Specialty Areas iii Work Roles iv associated supersets of Tasks and v Knowledge Skills and Abilities for each Work Role 437 438 • Chapter Three shows the application of the NCWF through cross-walk illustrations with applicable external models 439 440 • Chapter Four describes the process by which revisions to the NCWF will be periodically addressed 5 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 441 442 • Appendix A describes the NCWF list of Categories Specialty Areas Work Roles Tasks and KSAs 443 444 • Appendix B provides a detailed listing of each Work Role including the associated Tasks and KSAs 445 • Additional appendices describe applicable acronyms and references 6 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 446 2 NCWF Components and Relationships 447 2 1 Components of the NCWF 448 449 The NCWF organizes information technology IT cybersecurity and cyber-related work This section introduces and defines the core components of the NCWF in support of those areas 450 2 1 1 451 452 453 454 Categories provide the overarching organizational structure of the NCWF There are seven Categories and all are composed of Specialty Areas and Work Roles This organizing structure is based on extensive job analyses that groups together work and workers that share common major functions regardless of job titles or other occupational terms 455 2 1 2 456 457 458 459 460 461 462 Categories contain groupings of cybersecurity work which are called Specialty Areas There were 31 Specialty Areas called out in NCWF version 1 0 1 and 32 in NCWF version 2 0 2 Each specialty area represents an area of concentrated work or function within cybersecurity Those previous versions of the NCWF provided the typical Tasks and Knowledge Skills and Abilities KSAs within each specialty area Specialty Areas in a given Category are typically more similar to one another than to Specialty Areas in other Categories In this publication Tasks and KSAs are now connected with the Work Roles defined in Appendix A 463 2 1 3 464 465 466 Work Roles are the most detailed groupings of IT cybersecurity or cyber-related work These roles include lists of knowledge skills and abilities that a person must have to perform a set of functions or tasks 467 468 469 For members of the cybersecurity workforce work being performed is described by selecting one or more Work Roles from the NCWF relevant to that job or position in support of mission or business processes 470 471 To aid in the organization and communication about cybersecurity responsibilities Work Roles are grouped into specific classes of categories and specialty areas as described below 472 2 1 4 473 474 475 Every Work Role requires an individual to perform certain duties or Tasks Tasks are examples of the type of work that could be assigned to a professional working in one of the NCWF’s Work Roles 476 2 1 5 477 478 Knowledge Skills and Abilities KSAs are the attributes required to perform a job and are generally demonstrated through relevant experience education or training The NCWF Categories Specialty Areas Work Roles Tasks Knowledge Skills and Abilities 7 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 479 480 associates KSAs with Work Roles to clearly define the qualifying experience or capabilities needed to successfully perform the tasks or functions associated with a given Role 481 2 2 482 483 484 485 486 Various NCWF components work together to describe the information technology IT cybersecurity and cyber-related work As illustrated in Figure 2 each Category is supported by Specialty Areas each of which is supported by one or more Work Roles Each Work Role in turn is composed of numerous discrete Tasks and associated KSAs Notably KSAs numbered K0001 through K0006 are core to all cybersecurity activities and apply to every Work Role 487 488 489 490 Grouping components in this manner helps to organize the Work Roles and related Tasks and KSAs simplifies communicating about cybersecurity topics and helps with alignment to external frameworks Specific associations of Work Roles to Tasks Knowledge Skills and Abilities are described in Appendix B NCWF Component Relationships 491 492 Figure 2 - Relationships among NCWF Components 8 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 493 3 494 495 496 497 498 499 500 501 502 Application of the various components as described in Section 2 enables the organization to achieve a broad array of benefits Using the NCWF to understand organizational needs and assess the extent to which those needs are met helps the organization to plan implement and monitor a successful cybersecurity program The following topics illustrate how to apply the NCWF to achieve these business purposes ensuring effective performance cost-effective workforce management and continuous cybersecurity readiness While several of the examples are based upon a strategy that is specific to federal government programs any organization with cybersecurity workforce needs will benefit from the principles described The following topics are helpful to all those involved in cybersecurity workforce development 503 3 1 504 505 506 507 508 With technology becoming a critical element of nearly every part of society cybersecurity is a rapidly changing and expanding field This expansion requires a cadre of skilled workers to help organizations perform cybersecurity functions As organizations identify what is needed to manage risk adequately both now and in the future leaders need to consider the workforce capabilities and capacity needed 509 510 511 512 513 514 515 516 517 518 The DHS Cybersecurity Workforce Development Toolkit CWDT 9 – which provides tools and guidance to help organizations understand and build their cybersecurity workforce – describes the first step in preparing to build your cybersecurity workforce as having a shared vision for organizing your cybersecurity workforce against cybersecurity work Having a common understanding supports leaders in responding to changing environments – giving you data to better adjust resources see patterns of work and highlight areas of potential risk This understanding is especially important in the ever-changing environment of cybersecurity The CWDT includes a Cybersecurity Workforce Planning Capability Maturity Model CMM a selfassessment tool to help organizations evaluate the maturity of their cybersecurity workforce planning capability 519 520 521 522 523 524 525 526 527 528 Once the organization has determined cybersecurity requirements such as through a cybersecurity audit or an internal self-assessment the NCWF helps specify the Work Roles and Tasks that will help fulfill those While general terms such as “cyber professionals ” have historically been used to measure needs the specificity provided by NCWF provides a better approach to describe the dozens of discrete job functions needed By defining the required and available competencies of resources and by identifying gaps between required and available skills the organization can identify critical needs NCWF helps an organization to answer the following questions drawn from the Baldrige Cybersecurity Excellence Builder Tool 10 regarding maintenance of an effective and supportive workforce environment to achieve its cybersecurity goals 529 530 531 532 Applying the NCWF Identification of Cybersecurity Workforce Needs • • How do you assess your workforce capability and capacity needs related to cybersecurity How do you organize and manage your cybersecurity workforce to establish roles and responsibilities 9 NIST SP 800-181 DRAFT • 533 534 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF How do you prepare your workforce for changing cybersecurity capability and capacity needs 535 536 The cybersecurity landscape is always evolving so the NCWF helps to provide continuous monitoring of these needs as part of a proactive risk management approach 537 3 2 538 539 540 541 542 543 544 Access to information security education and training has grown significantly in recent years partly due to efforts by the federal government to improve and expand formal cybersecurity education programs Despite this success many organizations continue to find that such programs are not adequately preparing students to support the needs described by the Work Roles The NCWF through its consistent lexicon helps educators to prepare students with the specific Knowledge Skills and Abilities that should be demonstrated by a person whose cybersecurity position includes those Work Roles 545 546 547 548 549 550 551 552 553 554 Academic institutions are a critical part of preparing and educating the cybersecurity workforce Collaboration among public and private entities such as through the NICE program enable such institutions to determine common knowledge and abilities that are needed In turn developing and delivering curricula that are harmonized with the NCWF lexicon allows institutions to better prepare students for filling employers’ cybersecurity positions As the pipeline of students finding desired jobs in cybersecurity increases more students will be attracted to academic cybersecurity programs as a reliable pathway to a career An example of such success is the NSA DHS National Centers of Academic Excellence in Cyber Defense CAE-CD Program Office which developed a mapping document 6 that demonstrates a relationship between the CAE-CD Knowledge Units and the NCWF 555 3 3 556 557 558 559 560 561 562 563 564 565 As relevant cybersecurity assessments e g information security audits inform the organization about risk management priorities and in response to the workforce assessment described in Section 3 1 application of NCWF will help organizations to accomplish better strategic workforce planning and hiring NCWF definitions may be used to create or revise position descriptions that consistently portray the Work Roles and the lexicon helps candidates to accurately seek out specific positions for which they are interested and qualified Through the use of NCWF Task definitions to describe job duties and responsibilities and the use of NCWF KSAs to describe the position’s needed skills and qualifications candidates and hiring managers will gain a consistent understanding of expectations Application of these criteria also helps to develop evaluation criteria for vetting and approving candidates 566 567 568 569 570 571 The DHS CMSI PushbuttonPD™ Tool 11 allows managers supervisors and HR specialists to rapidly draft a federal employee Position Description PD without the need for extensive training or prior knowledge of position classification It is designed to present language from multiple mission-critical authoritative sources and standards for duties tasks and KSAs rapidly capture the hiring official’s requirements and present them in a robust hiring package that can be easily integrated into existing agency HR processes Education and Training of Cybersecurity Workforce Members Recruitment and Hiring of Highly Skilled Cybersecurity Talent 10 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 572 573 574 575 576 577 578 Application of the NCWF is not restricted to external hiring Because it supports specific training recommendations and performance measurement capability the framework assists organizations with retraining existing staff to take on cybersecurity Work Roles NCWF may also support organizations’ ability to temporarily or permanently obtain external staff augmentation to fill those gaps that were identified in Section 3 1 and or may be able to obtain external resources that can support education and training to ensure that internal candidates end up with the necessary knowledge and skills 579 3 4 580 581 582 583 584 585 586 587 A critical aspect of a skilled cybersecurity workforce involves the retention and development of the skilled talent already onboard A current employee has existing relationships institutional knowledge and organizational experience that is hard to replace Refilling a position after an employee leaves often brings new advertising and hiring costs expenses for training diminished productivity and reduced morale The DHS CWDT 9 offers profiles as a guide to focuses on retaining staff at every level whether entry level mid-career or seasoned cybersecurity professionals The following list illustrates some of the ways that NCWF supports retention and development of cybersecurity talent Retention and Development of Highly Skilled Cybersecurity Talent 588 589 590 • Since some personnel recognize that cybersecurity is an exciting and technical field the broad range of Work Roles and Specialty Areas provides a range of cybersecurity functions to which they might aspire and work to attain 591 592 593 • While some organizations have been able to attract cybersecurity talent the ability to retain such talent will depend in part on the ability to offer a progressively challenging and evolving set of Work Roles such as those enumerated by the NCWF 594 595 596 597 • The detailed understanding of the Tasks and KSAs helps existing staff to understand the specific steps needed to develop their capabilities promoting readiness for a particular desired position The organization might even rotate staff into such positions to develop skills in a particular set of KSAs 598 599 600 • Understanding of the Tasks and KSAs helps organizations to identify group training opportunities that will help prepare numerous staff members to perform duties in particular Categories Specialty Areas and Work Roles 601 602 603 604 605 • KSAs help organizations to understand which technical abilities will help a person in a position that includes specific cybersecurity Work Roles Building upon the value of knowledge-based certifications organizations may be able to use training and examinations that are based on cybersecurity skills and abilities such as those that evaluate KSA proficiency in a realistic environment 606 607 608 • Considering the gaps identified in Section 3 1 the organization can use existing personnel to fill critical cybersecurity staffing needs leveraging the ability to review resumes of existing staff to identify those with desirable KSAs 609 610 611 • Organizations can identify personnel that are diligent in improving KSAs in relevant areas rewarding those who perform well and developing improvement plans for those needing work in particular areas of ability 11 NIST SP 800-181 DRAFT • 612 613 614 615 616 617 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF The NCWF is helpful for existing employees who desire to move into a cybersecurity Work Role from another position e g a reliable employee in a non-cybersecurity work role that is being phased out or a worker in a position that’s less challenging than desired Through identification of a challenging career path such an employee may be invigorated by the new opportunity armed with an understanding of what KSAs will help prepare them for the new role 618 619 620 621 Using the NCWF as described above will help strengthen the organization’s cybersecurity workforce Investment in the existing workforce such as through initiatives focused on training and retaining existing talent will help the organization to prepare for and realize its risk management objectives 622 3 5 623 624 625 626 627 628 629 630 In 2014 NIST released the Framework for Improving Critical Infrastructure Cybersecurity 3 commonly referred to as the Cybersecurity Framework CSF Developed in response to Executive Order EO 13636 12 the CSF was created to provide a performance-based and cost-effective approach to help organizations to identify assess and manage cybersecurity risk It was built through a series of public workshops that were convened by NIST to better understand what standards and methodologies are helpful for achieving effective risk management and how voluntary existing good practices might be implemented to improve cybersecurity 631 632 633 634 CSF is composed of three parts Framework Core Framework Implementation Tiers and Framework Profiles Each component reinforces the connection between business drivers and cybersecurity activities The most relevant part of CSF to NCWF is the Framework Core The Core’s elements work together as follows Cybersecurity Framework CSF 635 636 • Functions organize basic cybersecurity activities at their highest level These functions Identify Protect Detect Respond and Recover - are described in further detail below 637 638 • Categories are the subdivisions of a Function into groups of cybersecurity outcomes closely tied to programmatic needs and particular activities 639 640 641 • Subcategories further divide a Category into specific outcomes of technical and or management activities They provide a set of results that while not exhaustive help to support achievement of the outcomes in each Category 642 643 644 645 646 • Informative References are specific sections of standards guidelines and practices common among critical infrastructure sectors that illustrate a method to achieve the outcomes associated with each Subcategory The Informative References presented in the Framework Core are illustrative and not exhaustive They are based upon cross-sector guidance most frequently referenced during the Framework development process 647 648 649 650 A companion document the NIST Roadmap for Improving Critical Infrastructure Cybersecurity 13 discusses key areas of CSF development and alignment including industry collaboration Its plans are based on feedback received from stakeholders throughout the development process including elements that impact cybersecurity workforce organization and communication The 12 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 651 652 653 654 roadmap points to the need for a skilled cybersecurity workforce to meet the unique cybersecurity needs of critical infrastructure It recognizes that as the cybersecurity threat and technology environments evolve the workforce must continue to adapt to design develop implement maintain and continuously improve the necessary cybersecurity practices 655 656 The Core Functions each contribute to a high-level understanding of the cybersecurity needs of the organization 657 658 • Identify ID – Develop the organizational understanding to manage cybersecurity risk to systems assets data and capabilities 659 660 • Protect PR – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services 661 662 • Detect DE – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event 663 664 • Respond RS – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event 665 666 667 • Recover RC – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event 668 669 In many ways these Functions correlate to the NCWF Categories Table 1 describes the relationships among the CSF Functions and NCWF Categories 13 NIST SP 800-181 DRAFT 670 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Table 1 - Crosswalk of NCWF Workforce Categories to CSF Functions NCWF Category Securely Provision SP Operate and Maintain OM Oversee and Govern OV Protect and Defend PR Analyze AN Collect and Operate CO Investigate IN Category Description Conceptualizing designing and building secure information technology IT systems with responsibility for some aspect of the systems' development Providing the support administration and maintenance necessary to ensure effective and efficient information technology IT system performance and security Specialty Areas responsible for providing leadership management direction or development and advocacy so that the organization may effectively conduct cybersecurity work Specialty Areas responsible for identifying analyzing and mitigating threats to internal information technology IT systems or networks Specialty Areas responsible for highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence Specialty Areas responsible for specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence Specialty Areas responsible for investigating cybersecurity events or crimes related to information technology IT systems networks and digital evidence Related CSF Function s Identify ID Protect PR Protect PR Detect DE Identify ID Protect PR Detect DE Recover RC Protect PR Detect DE Respond RS Identify ID Detect DE Respond RS Detect DE Protect PR Respond RS Detect DE Respond RS Recover RC 671 3 5 1 672 673 674 While the CSF and the NCWF were developed separately each complements the other by describing a hierarchical approach to achieving cybersecurity goals Consider the following example 675 676 677 678 679 680 CSF’s Detect function includes a category of Security Continuous Monitoring DE CM The category includes a subcategory DE CM-1 pointing to an outcome of “The network is monitored to detect potential cybersecurity events ” While CSF describes this outcome and provides several informative references regarding the security controls to achieve it CSF does not provide any informative guidance regarding whom should be responsible for attaining the outcome or what KSAs would apply Example Integration of CSF with NCWF 14 NIST SP 800-181 DRAFT 681 682 683 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Reviewing the NCWF we identify the Cybersecurity Defense Incident Responder PR-IR001 role in the Protect and Defend PR category Incident Response IR specialty area We can review the description of this role to ensure that it aligns with the CSF DE CM-1 outcome 684 685 686 687 688 689 690 Responds to disruptions within the pertinent domain to mitigate immediate and potential threats Uses mitigation preparedness and response and recovery approaches to maximize survival of life preservation of property and information security Investigates and analyzes relevant response activities and evaluates the effectiveness of and improvements to existing practices 691 692 Investigates analyzes and responds to cybersecurity incidents within the network environment or enclave 693 694 695 We learn from Appendix A of this document that the person whose position includes this Work Role might be expected to perform many of the following Tasks which align with the desired CSF outcome 696 697 • T0041 - Coordinate and provide expert technical support to enterprise-wide cybersecurity defense technicians to resolve cybersecurity defense incidents 698 699 • T0047 - Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation 700 701 702 • T0161 - Perform analysis of log files from a variety of sources e g individual host logs network traffic logs firewall logs and intrusion detection system IDS logs to identify possible threats to network security 703 704 705 • T0163 - Perform cybersecurity defense incident triage to include determining scope urgency and potential impact identifying the specific vulnerability and make recommendations that enable expeditious remediation 706 707 • T0170 - Perform initial forensically sound collection of images and inspect to discern possible mitigation remediation on enterprise systems 708 709 710 • T0175 - Perform real-time cybersecurity defense incident handling e g forensic collections intrusion correlation and tracking threat analysis and direct system remediation tasks to support deployable Incident Response Teams IRTs 711 712 • T0214 - Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts 713 714 • T0233 - Track and document cybersecurity defense incidents from initial detection through final resolution 715 716 • T0246 - Write and publish cybersecurity defense techniques guidance and reports on incident findings to appropriate constituencies 717 718 • T0262 - Employ approved defense-in-depth principles and practices e g defense-inmultiple places layered defenses security robustness 15 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 719 720 721 • T0278 - Collect intrusion artifacts e g source code malware Trojans and use discovered data to enable mitigation of potential cybersecurity defense incidents within the enterprise 722 723 • T0279 - Serve as technical expert and liaison to law enforcement personnel and explain incident details as required 724 • T0312 - Coordinate with intelligence analysts to correlate threat assessment data 725 • T0333 - Perform cybersecurity defense trend analysis and reporting 726 • T0395 - Write and publish after-action reviews 727 728 729 730 • T0503 - Monitor external data sources e g cybersecurity defense vendor sites Computer Emergency Response Teams Security Focus to maintain the currency of cybersecurity defense threat condition and determine which security issues may have an impact on the enterprise 731 • T0510 - Coordinate incident response functions 732 733 Furthermore from Appendix B we can learn the broad range of KSAs that might be needed by a person whose cybersecurity position includes this Work Role 734 735 736 737 738 739 740 Armed with this information an organization seeking to achieve the outcome described by CSF DE CM-1 may determine whether one or more existing staff have the necessary skills to complete the tasks described If one or more KSAs are lacking the employee desiring to fill that Work Role will know specifically what areas need improvement and can seek academic classes or industry training to gain the necessary knowledge If no such staff are found the employer has specific Task descriptions and KSA requirements that may be advertised in a job posting or that may be used for contractor staff to augment existing personnel 16 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 741 4 742 743 744 745 746 747 748 The NCWF builds upon decades of industry research into how to effectively manage the risks to valuable organizational electronic and physical information Through the years the industry that has been referred to as computer security information security and now cybersecurity has been supported by dedicated workers supporting an evolving set of Work Roles Tasks and KSAs Cybersecurity tactics are ever-changing always identifying new ways to gain information advantage through technology As we evolve the ways we perform cybersecurity functions so must the components of the NCWF continue to evolve 749 750 751 752 753 754 755 756 757 NCWF users are encouraged to provide feedback and comments through the Workforce Framework page at the NICE project website 14 As part of an ongoing collaborative approach NICE will periodically consider the current set of recommendations for expansion update correction withdrawal or integration of NCWF elements The program will work to achieve consensus on these recommended changes drawing on public and private sector input including that of federal cybersecurity workforce and education leadership and the NCWF publication will be updated accordingly This approach provides an ongoing set of NCWF elements that are stable flexible and technically sound for use as a reference for workforce training and educational needs 758 759 760 Additionally new reference materials will be developed to cross-reference elements of the NCWF To the extent possible digital reference materials will be posted to the NICE website as an aid to applying and utilizing NCWF and associated materials 761 4 1 762 763 764 Several work-related elements have been raised at various discussions and while not currently integrated into the NCWF are areas that are likely to be the subject of further research and guidance The areas of further investigation are 765 766 767 768 769 770 771 772 773 774 775 776 777 778 Future Revision Process Additional Concepts for Future Consideration • System Security Engineering SSE – Many elements of systems security engineering a specialty engineering discipline of systems engineering contribute to a fully integrated system-level perspective of cybersecurity Additional research will be conducted to ensure that the Tasks and KSAs described fully support the SSE lifecycle described in Draft NIST Special Publication SP 800-160 Systems Security Engineering - Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems 15 SP 800-160 describes how SSE “helps to ensure that the appropriate security principles concepts methods and practices are applied during the system life cycle to achieve stakeholder objectives for the protection of assets across all forms of adversity characterized as disruptions hazards and threats to reduce security vulnerability and therefore reduce susceptibility to adversity and to provide a sufficient base of evidence that supports claims that the desired level of trustworthiness has been achieved — that is a level of trustworthiness that the agreed-upon asset protection needs of stakeholders can be adequately satisfied on a continuous basis despite such adversity ” 17 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 779 780 781 782 783 784 785 786 787 • Relationship of Job Title to Work Role - Job titles are a description of an employee’s job or position in the organization Job titles vary from organization to organization Rather than looking to job titles as a means to determine that a position is in the cybersecurity field it may be beneficial to look at Tasks as a means to identify the cybersecurity Work Roles that are being performed For the federal government development of a dedicated cybersecurity job series may enable easier translation between the NCWF and job titles It would also make it easier to inventory cybersecurity positions and target workforce development e g hiring and incentives training retention programs 788 789 790 791 792 793 794 795 796 797 • Competency – Extensive work has been done to consider competency models which support NCWF participants in many ways The Department of Labor’s Employment and Training Administration 8 defines a competency as “the capability of applying or using knowledge skills abilities behaviors and personal characteristics to successfully perform critical work tasks specific functions or operate in a given role or position ” In addition to the enumeration of technical KSAs competency models also consider behavioral indicators and describe nontechnical considerations such as Personal Effectiveness Academic and Workplace Competencies Additional information about these considerations is available from the Department of Labor’s CareerOneStop Site 4 798 799 800 801 802 803 804 805 • Proficiency Levels and Career Paths – Beginner Intermediate and Senior Expert proficiency levels can be described by exploring Experience Credentials Competencies Skills and KSAs and Training Development Activities The DHS CWDT includes a section known as ADVANCE Develop Your People that includes templates to create custom cybersecurity career paths links to training certifications and professional events and ideas for retaining staff at every level Individual sectors associations and organizations may wish to create their own publications on proficiency levels and career paths 18 NIST SP 800-181 DRAFT 806 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Appendix A—Listing of NCWF Elements 807 A 1 808 809 Table 2 provides a description of each Category described by the NCWF Each includes an identifier e g SP that helps to quickly reference the Category and to support the creation of NCWF Work Role identifiers see Table 4 - NCWF Work Roles 810 811 812 Note to Reviewers The content listed in Appendix A and Appendix B is drawn from multiple sources Feedback regarding the descriptions of each NCWF component including Tasks and KSAs is welcome The authors also solicit input regarding additional Tasks that might be performed by workers in a particular Work Role and associated KSAs NCWF Workforce Categories 813 Table 2 - NCWF Workforce Categories Categories Securely Provision SP Operate and Maintain OM Oversee and Govern OV Protect and Defend PR Analyze AN Collect and Operate CO Investigate IN Descriptions Conceptualizes designs and builds secure information technology IT systems with responsibility for aspects of systems and or networks development Provides the support administration and maintenance necessary to ensure effective and efficient information technology IT system performance and security Provides leadership management direction or development and advocacy so the organization may effectively conduct cybersecurity work Identifies analyzes and mitigates threats to internal information technology IT systems and or networks Performs highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence Provides specialized denial and deception operations and collection of cybersecurity information that may be used to develop intelligence Investigates cybersecurity events or crimes related to information technology IT systems networks and digital evidence 814 19 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 815 A 2 816 817 818 819 820 Table 3 provides a description of each of the NCWF Specialty Areas As with the NCWF Categories each Specialty Area includes an identifier e g RM that helps to quickly reference the area and further supports the creation of NCWF Work Role identifiers see Table 4 - NCWF Work Roles NCWF Specialty Areas Table 3 - NCWF Specialty Areas Categories Securely Provision SP Specialty Areas Risk Management RM Software Development DEV Systems Architecture ARC Technology R D RD Systems Requirements Planning RP Test and Evaluation TE Operate and Maintain OM Systems Development SYS Data Administration DA Knowledge Management KM Specialty Area Descriptions Oversees evaluates and supports the documentation validation assessment and authorization processes necessary to assure that existing and new information technology IT systems meet the organization's cybersecurity and risk requirements Ensures appropriate treatment of risk compliance and assurance from internal and external perspectives Develops and writes codes new or modifies existing computer applications software or specialized utility programs following software assurance best practices Develops system concepts and works on the capabilities phases of the systems development life cycle translates technology and environmental conditions e g law and regulation into system and security designs and processes Conducts technology assessment and integration processes provides and supports a prototype capability and or evaluates its utility Consults with customers to gather and evaluate functional requirements and translates these requirements into technical solutions Provides guidance to customers about applicability of information systems to meet business needs Develops and conducts tests of systems to evaluate compliance with specifications and requirements by applying principles and methods for costeffective planning evaluating verifying and validating of technical functional and performance characteristics including interoperability of systems or elements of systems incorporating IT Works on the development phases of the systems development life cycle Develops and administers databases and or data management systems that allow for the storage query and utilization of data Manages and administers processes and tools that enable the organization to identify document and access intellectual capital and information content 20 NIST SP 800-181 DRAFT Categories NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Specialty Areas Specialty Area Descriptions Customer Service and Technical Support TS Addresses problems installs configures troubleshoots and provides maintenance and training in response to customer requirements or inquiries e g tiered-level customer support Installs configures tests operates maintains and manages networks and their firewalls including hardware e g hubs bridges switches multiplexers routers cables proxy servers and protective distributor systems and software that permit the sharing and transmission of all spectrum transmissions of information to support the security of information and information systems Installs configures troubleshoots and maintains server configurations hardware and software to ensure their confidentiality integrity and availability Also manages accounts firewalls and patches Responsible for access control passwords and account creation and administration Conducts the integration testing operations and maintenance of systems security Provides legally sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain Advocates legal and policy changes and makes a case on behalf of client via a wide range of written and oral work products including legal briefs and proceedings Conducts training of personnel within pertinent subject domain Develops plans coordinates delivers and or evaluates training courses methods and techniques as appropriate Oversees the cybersecurity program of an information system or network including managing information security implications within the organization specific program or other area of responsibility to include strategic personnel infrastructure requirements policy enforcement emergency planning security awareness and other resources Develops policies and plans and or advocates for changes in policy that supports organizational cyberspace initiatives or required changes enhancements Supervises manages and or leads work and workers performing cybersecurity work Applies knowledge of data information processes organizational interactions skills and analytical expertise as well as systems networks and information exchange capabilities to manage acquisition programs Executes duties governing hardware software and information system acquisition programs and other program management policies Provides direct support for acquisitions that Network Services NET Systems Administration SA Systems Analysis AN Oversee and Govern OV Legal Advice and Advocacy LG Training Education and Awareness ED Cybersecurity Management MG Strategic Planning and Policy PL Executive Cybersecurity Leadership EX Acquisition and Program Project Management PM 21 NIST SP 800-181 DRAFT Categories Protect and Defend PR NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Specialty Areas Cybersecurity Defense Analysis DA Cybersecurity Defense Infrastructure Support INF Incident Response IR Vulnerability Assessment and Management VA Analyze AN Threat Analysis TA Exploitation Analysis XA All-Source Analysis AN Targets TD Language Analysis LA Collect and Operate CO Collection Operations CL Cyber Operational Planning PL Specialty Area Descriptions use information technology IT including National Security Systems applying IT-related laws and policies and provides IT-related guidance throughout the total acquisition life-cycle Uses defensive measures and information collected from a variety of sources to identify analyze and report events that occur or might occur within the network in order to protect information information systems and networks from threats Tests implements deploys maintains reviews and administers the infrastructure hardware and software that are required to effectively manage the computer network defense service provider network and resources Monitors network to actively remediate unauthorized activities Responds to crises or urgent situations within the pertinent domain to mitigate immediate and potential threats Uses mitigation preparedness and response and recovery approaches as needed to maximize survival of life preservation of property and information security Investigates and analyzes all relevant response activities Conducts assessments of threats and vulnerabilities determines deviations from acceptable configurations enterprise or local policy assesses the level of risk and develops and or recommends appropriate mitigation countermeasures in operational and nonoperational situations Identifies and assesses the capabilities and activities of cybersecurity criminals or foreign intelligence entities produces findings to help initialize or support law enforcement and counterintelligence investigations or activities Analyzes collected information to identify vulnerabilities and potential for exploitation Analyzes threat information from multiple sources disciplines and agencies across the Intelligence Community Synthesizes and places intelligence information in context draws insights about the possible implications Applies current knowledge of one or more regions countries non-state entities and or technologies Applies language cultural and technical expertise to support information collection analysis and other cybersecurity activities Executes collection using appropriate strategies and within the priorities established through the collection management process Performs in-depth joint targeting and cybersecurity planning process Gathers information and develops detailed Operational Plans and Orders supporting 22 NIST SP 800-181 DRAFT Categories NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Specialty Areas Cyber Operations OP Investigate IN Cyber Investigation CI Digital Forensics FO Specialty Area Descriptions requirements Conducts strategic and operational-level planning across the full range of operations for integrated information and cyberspace operations Performs activities to gather evidence on criminal or foreign intelligence entities in order to mitigate possible or real-time threats protect against espionage or insider threats foreign sabotage international terrorist activities or to support other intelligence activities Applies tactics techniques and procedures for a full range of investigative tools and processes to include but not limited to interview and interrogation techniques surveillance counter surveillance and surveillance detection and appropriately balances the benefits of prosecution versus intelligence gathering Collects processes preserves analyzes and presents computer-related evidence in support of network vulnerability mitigation and or criminal fraud counterintelligence or law enforcement investigations 23 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 821 A 3 822 823 824 825 826 827 828 Table 4 provides a description of each of the Work Roles described by the NCWF Each Work Role is identified by the Category and Specialty Area followed by a sequential number e g SP-RM-001 is the first Work Role in the SP Category RM Specialty Area Some of the Work Role Descriptions originate with external documents e g Committee on National Security Systems Instruction CNSSI 4009 and include that information in the description column As described in Section 4 the NCWF will be periodically refreshed with some Work Roles becoming deprecated added or modified to address changes to the cybersecurity workforce landscape NCWF Work Roles Table 4 - NCWF Work Roles Category Securely Provision SP Specialty Area Risk Management RM Software Development DEV Systems Architecture ARC NCWF ID Work Role Description Authorizing Official Designating Representative Work Role SP-RM-001 Security Control Assessor SP-RM-002 Software Developer SP-DEV-001 Secure Software Assessor SP-DEV-002 Enterprise Architect SP-ARC-001 Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations including mission functions image or reputation organizational assets individuals other organizations and the Nation CNSSI 4009 Conducts independent comprehensive assessments of the management operational and technical security controls and control enhancements employed within or inherited by an information technology IT system to determine the overall effectiveness of the controls as defined in NIST SP 800-37 Develops creates maintains and writes codes new or modifies existing computer applications software or specialized utility programs Analyzes the security of new or existing computer applications software or specialized utility programs and provides actionable results Develops and maintains business systems and information processes to support enterprise mission needs develops information technology IT rules and requirements that describe baseline and target architectures 24 NIST SP 800-181 DRAFT Category Specialty Area NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Work Role Security Architect Operate and Maintain OM NCWF ID Work Role Description SP-ARC-002 Designs enterprise and systems security throughout the development life cycle translates technology and environmental conditions e g law and regulation into security designs and processes Conducts software and systems engineering and software systems research in order to develop new capabilities ensuring cybersecurity is fully integrated Conducts comprehensive technology research to evaluate potential vulnerabilities in cyberspace systems Consults with customers to evaluate functional requirements and translate functional requirements into technical solutions Plans prepares and executes tests of systems to evaluate results against specifications and requirements as well as analyze report test results Designs develops tests and evaluates information system security throughout the systems development life cycle Designs develops tests and evaluates information systems throughout the systems development life cycle Administers databases and or data management systems that allow for the storage query and utilization of data Examines data from multiple disparate sources with the goal of providing new insight Designs and implements custom algorithms flow processes and layouts for complex enterprise-scale data sets used for modeling data mining and research purposes Responsible for the management and administration of processes and tools that enable the organization to identify document and access intellectual capital and information content Technology R D RD Research Development Specialist SP-RD-001 Systems Requirements Planning RP Test and Evaluation TE Systems Requirements Planner SP-RP-001 System Testing and Evaluation Specialist SP-TE-001 Systems Development SYS Information Systems Security Developer SP-SYS-001 Systems Developer SP-SYS-002 Data Administration DA Database Administrator OM-DA-001 Data Analyst OM-DA-002 Knowledge Management KM Knowledge Manager OM-KM-001 25 NIST SP 800-181 DRAFT Category Oversee and Govern OV NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Specialty Area Work Role NCWF ID Work Role Description Customer Service and Technical Support TS Technical Support Specialist OM-TS-001 Network Services NET Network Operations Specialist Systems Administration SA Systems Analysis AN System Administrator OM-SA-001 Provides technical support to customers who need assistance utilizing client-level hardware and software in accordance with established or approved organizational process components i e Master Incident Management Plan when applicable Plans implements and operates network services systems to include hardware and virtual environments Installs configures troubleshoots and maintains hardware and software and administers system accounts Systems Security Analyst OM-AN-001 Legal Advice and Advocacy LG Cyber Legal Advisor OV-LG-001 Privacy Compliance Manager OV-LG-002 Cyber Instructional Curriculum Developer OV-ED-001 Cyber Instructor OV-ED-002 Cybersecurity Management MG Information Systems Security Manager COMSEC Manager OV-MG-001 Strategic Planning and Policy PL Cyber Workforce Developer and Manager OV-PL-001 Training Education and Awareness ED OM-NET-001 OV-MG-002 26 Responsible for the analysis and development of the integration testing operations and maintenance of systems security Provides legal advice and recommendations on relevant topics related to cyber law Develops and oversees privacy compliance program and privacy program staff supporting privacy compliance needs of privacy and security executives and their teams Develops plans coordinates and evaluates cyber training education courses methods and techniques based on instructional needs Develops and conducts training or education of personnel within cyber domain Responsible for the cybersecurity of a program organization system or enclave Manages the Communications Security COMSEC resources of an organization CNSSI 4009 Develops cyberspace workforce plans strategies and guidance to support cyberspace workforce manpower personnel training and education requirements and to address changes to cyberspace policy doctrine materiel force structure and education and training requirements NIST SP 800-181 DRAFT Category Protect and Defend PR Specialty Area NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF NCWF ID Work Role Description Cyber Policy and Strategy Planner Work Role OV-PL-002 Executive Cyber Leadership EX Executive Cyber Leadership OV-EX-001 Acquisition and Program Project Management PM Program Manager OV-PM-001 IT Project Manager OV-PM-002 Product Support Manager OV-PM-003 IT Investment Portfolio Manager OV-PM-004 IT Program Auditor OV-PM-005 Cyber Defense Analysis DA Cyber Defense Analyst PR-DA-001 Cyber Defense Infrastructure Support INF Incident Response IR Vulnerability Assessment and Management VA Cyber Defense Infrastructure Support Specialist Cyber Defense Incident Responder Vulnerability Assessment Analyst PR-INF-001 Develops cyberspace plans strategy and policy to support and align with organizational cyberspace missions and initiatives Executes decision-making authorities and establishes vision and direction for an organization's cyber and cyber-related resources and or operations Leads coordinates communicates integrates and is accountable for the overall success of the program ensuring alignment with critical agency priorities Directly manages information technology projects to provide a unique service or product Manages the package of support functions required to field and maintain the readiness and operational capability of systems and components Manages a portfolio of IT capabilities that align with the overall needs of mission and business enterprise priorities Conducts evaluations of an IT program or its individual components to determine compliance with published standards Uses data collected from a variety of cyber defense tools e g IDS alerts firewalls network traffic logs to analyze events that occur within their environments for the purposes of mitigating threats Tests implements deploys maintains and administers the infrastructure hardware and software PR-IR-001 PR-VA-001 27 Investigates analyzes and responds to cyber incidents within the network environment or enclave Performs assessments of systems and networks within the network environment or enclave and identifies where those systems networks deviate from acceptable configurations enclave policy or local policy Measures effectiveness of defense-in-depth architecture against known vulnerabilities NIST SP 800-181 DRAFT Category Analyze AN Specialty Area NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF NCWF ID Work Role Description Threat Analysis TA Warning Analyst AN-TA-001 Exploitation Analysis XA Exploitation Analyst AN-XA-001 All-Source Analysis AN All-Source Analyst AN-AN-001 Mission Assessment Specialist AN-AN-002 Target Developer AN-TD-001 Target Network Analyst AN-TD-002 Develops unique cyber indicators to maintain constant awareness of the status of the highly dynamic operating environment Collects processes analyzes and disseminates cyber warning assessments Collaborates to identify access and collection gaps that can be satisfied through cyber collection and or preparation activities Leverages all authorized resources and analytic techniques to penetrate targeted networks Analyzes data information from one or multiple sources to conduct preparation of the environment respond to requests for information and submit intelligence collection and production requirements in support of planning and operations Develops assessment plans and measures of performance effectiveness Conducts strategic and operational effectiveness assessments as required for cyber events Determines whether systems performed as expected and provides input to the determination of operational effectiveness Performs target system analysis builds and or maintains electronic target folders to include inputs from environment preparation and or internal or external intelligence sources Coordinates with partner target activities and intelligence organizations and presents candidate targets for vetting and validation Conducts advanced analysis of collection and opensource data to ensure target continuity to profile targets and their activities and develop techniques to gain more target information Determines how targets communicate move operate and live based on knowledge of target technologies digital networks and the applications on them Targets TD Work Role 28 NIST SP 800-181 DRAFT Category Collect and Operate CO Specialty Area NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Work Role NCWF ID Work Role Description Language Analysis LA Multi-Disciplined Language Analyst AN-LA-001 Collection Operations CL All Source-Collection Manager CO-CL-001 All Source-Collection Requirements Manager CO-CL-002 Cyber Intel Planner CO-PL-001 Applies language and culture expertise with target threat and technical knowledge to process analyze and or disseminate intelligence information derived from language voice and or graphic material Creates and maintains language specific databases and working aids to support cyber action execution and ensure critical knowledge sharing Provides subject matter expertise in foreign language-intensive or interdisciplinary projects Identifies collection authorities and environment incorporates priority information requirements into collection management develops concepts to meet leadership's intent Determines capabilities of available collection assets identifies new collection capabilities and constructs and disseminates collection plans Monitors execution of tasked collection to ensure effective execution of the collection plan Evaluates collection operations and develops effectsbased collection requirements strategies using available sources and methods to improve collection Develops processes validates and coordinates submission of collection requirements Evaluates performance of collection assets and collection operations Develops detailed intelligence plans to satisfy cyber operations requirements Collaborates with cyber operations planners to identify validate and levy requirements for collection and analysis Participates in targeting selection validation synchronization and execution of cyber actions Synchronizes intelligence activities to support organization objectives in cyberspace Cyber Operational Planning PL 29 NIST SP 800-181 DRAFT Category Investigate IN Specialty Area NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF NCWF ID Work Role Description Cyber Ops Planner Work Role CO-PL-002 Partner Integration Planner CO-PL-003 Cyber Operations OP Cyber Operator CO-OP-001 Cyber Investigation CI Cyber Crime Investigator IN-CI-001 Digital Forensics FO Forensics Analyst IN-FO-001 Cyber Defense Forensics Analyst IN-FO-002 Develops detailed plans for the conduct or support of the applicable range of cyber operations through collaboration with other planners operators and or analysts Participates in targeting selection validation synchronization and enables integration during the execution of cyber actions Works to advance cooperation across organizational or national borders between cyber operations partners Aids the integration of partner cyber teams by providing guidance resources and collaboration to develop best practices and facilitate organizational support for achieving objectives in integrated cyber actions Conducts collection processing and or geolocation of systems in order to exploit locate and or track targets of interest Performs network navigation tactical forensic analysis and when directed executing on-net operations Identifies collects examines and preserves evidence using controlled and documented analytical and investigative techniques Conducts deep-dive investigations on computer-based crimes establishing documentary or physical evidence to include digital media and logs associated with cyber intrusion incidents Analyzes digital evidence and investigates computer security incidents to derive useful information in support of system network vulnerability mitigation 829 30 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 830 A 4 831 832 833 Table 5 provides a listing of the various Tasks associated with NCWF Work Roles Because the Tasks have evolved over many years and are expected to continue to do so they are not sorted in a particular order and will simply continue to grow sequentially 834 Table 5 - NCWF Work Role Tasks Task T0001 T0002 T0003 T0004 T0005 T0006 T0007 T0008 T0009 T0010 T0011 T0012 T0013 T0014 T0015 T0016 T0017 T0018 T0019 T0020 NCWF Work Role Tasks Task Description Acquire and manage the necessary resources including leadership support financial resources and key security personnel to support information technology IT security goals and objectives and reduce overall organizational risk Acquire necessary resources including financial resources to conduct an effective enterprise continuity of operations program Advise senior management e g Chief Information Officer CIO on risk levels and security posture Advise senior management e g CIO on cost benefit analysis of information security programs policies processes and systems and elements Advise appropriate senior leadership or Authorizing Official of changes affecting the organization's cybersecurity posture Advocate organization's official position in legal and legislative proceedings Analyze and define data requirements and specifications Analyze and plan for anticipated changes in data capacity requirements Analyze information to determine recommend and plan the development of a new application or modification of an existing application Analyze organization's cyber defense policies and configurations and evaluate compliance with regulations and organizational directives Analyze user needs and software requirements to determine feasibility of design within time and cost constraints Analyze design constraints analyze trade-offs and detailed system and security design and consider lifecycle support Apply coding and testing standards apply security testing tools including 'fuzzing staticanalysis code scanning tools and conduct code reviews Apply secure code documentation Apply security policies to applications that interface with one another such as Business-toBusiness B2B applications Apply security policies to meet security objectives of the system Apply service oriented security architecture principles to meet organization's confidentiality integrity and availability requirements Assess the effectiveness of cybersecurity measures utilized by system s Assess threats to and vulnerabilities of computer system s to develop a security risk profile Develop content for cyber defense tools Build test and modify product prototypes using working models or theoretical models T0021 Capture security controls used during the requirements phase to integrate security within the process to identify key security objectives and to maximize software security while T0022 minimizing disruption to plans and schedules Characterize and analyze network traffic to identify anomalous activity and potential threats to T0023 network resources T0024 Collect and maintain data needed to meet system cybersecurity reporting 31 NIST SP 800-181 DRAFT Task T0025 T0026 T0027 T0028 T0029 T0030 T0031 T0032 T0033 T0034 T0035 T0036 T0037 T0038 T0039 T0040 T0041 T0042 T0043 T0044 T0045 T0046 T0047 T0048 T0049 T0050 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Communicate the value of information technology IT security throughout all levels of the organization stakeholders Compile and write documentation of program development and subsequent revisions inserting comments in the coded instructions so others can understand the program Conduct analysis of log files evidence and other information in order to determine best methods for identifying the perpetrator s of a network intrusion Conduct and or support authorized penetration testing on enterprise network assets Conduct functional and connectivity testing to ensure continuing operability Conduct interactive training exercises to create an effective learning environment Conduct interviews of victims and witnesses and conduct interviews or interrogations of suspects Conduct Privacy Impact Assessments PIA of the application’s security design for the appropriate security controls which protect the confidentiality and integrity of Personally Identifiable Information PII Conduct risk analysis feasibility study and or trade-off analysis to develop document and refine functional requirements and specifications Confer with systems analysts engineers programmers and others to design application and to obtain information on project limitations and capabilities performance requirements and interfaces Configure and optimize network hubs routers and switches e g higher-level protocols tunneling Confirm what is known about an intrusion and discover new information if possible after identifying intrusion via dynamic analysis Construct access paths to suites of information e g link pages to facilitate access by endusers Develop threat model based on customer interviews and requirements Consult with customers to evaluate functional requirements Consult with engineering staff to evaluate interface between hardware and software Coordinate and provide expert technical support to enterprise-wide cyber defense technicians to resolve cyber defense incidents Coordinate with Cyber Defense Analysts to manage and administer the updating of rules and signatures e g intrusion detection protection systems anti-virus and content blacklists for specialized cyber defense applications Coordinate with enterprise-wide cyber defense staff to validate network alerts Collaborate with stakeholders to establish the enterprise continuity of operations program strategy and mission assurance Coordinate with systems architects and developers as needed to provide oversight in the development of design solutions Correct errors by making appropriate changes and rechecking the program to ensure desired results are produced Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation Create a forensically sound duplicate of the evidence i e forensic image that ensures the original evidence is not unintentionally modified to use for data recovery and analysis processes This includes but is not limited to hard drives floppy diskettes CD PDA mobile phones GPS and all tape formats Decrypt seized data using technical means Define and prioritize essential system capabilities or business functions required for partial or full system restoration after a catastrophic failure event 32 NIST SP 800-181 DRAFT Task T0051 T0052 T0053 T0054 T0055 T0056 T0057 T0058 T0059 T0060 T0061 T0062 T0063 T0064 T0065 T0066 T0067 T0068 T0069 T0070 T0071 T0072 T0073 T0074 T0075 T0076 T0077 T0078 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Define appropriate levels of system availability based on critical system functions and ensure system requirements identify appropriate disaster recovery and continuity of operations requirements to include any appropriate fail-over alternate site requirements backup requirements and material supportability requirements for system recover restoration Define project scope and objectives based on customer requirements Design and develop cybersecurity or cybersecurity-enabled products Design group policies and access control lists to ensure compatibility with organizational standards business rules and needs Design hardware operating systems and software applications to adequately address cybersecurity requirements Design or integrate appropriate data backup capabilities into overall system designs and ensure appropriate technical and procedural processes exist for secure system backups and protected storage of backup data Design develop and modify software systems using scientific analysis and mathematical models to predict and measure outcome and consequences of design Determine level of assurance of developed capabilities based on test results Develop a plan to investigate alleged crime violation or suspicious activity utilizing computers and the internet Develop an understanding of the needs and requirements of information end-users Develop and direct system testing and validation procedures and documentation Develop and document requirements capabilities and constraints for design procedures and processes Develop and document systems administration standard operating procedures Review and validate data mining and data warehousing programs processes and requirements Develop and implement network backup and recovery procedures Develop and maintain strategic plans Develop architectures or system components consistent with technical specifications Develop data standards policies and procedures Develop detailed security design documentation for component and interface specifications to support system design and development Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment Develop integrate cybersecurity designs for systems and networks with multilevel security requirements or requirements for the processing of multiple classification levels of data primarily applicable to government organizations e g UNCLASSIFIED SECRET and TOP SECRET Develop methods to monitor and measure risk compliance and assurance efforts Develop new or identify existing awareness and training materials that are appropriate for intended audiences Develop policy programs and guidelines for implementation Provide technical summary of findings in accordance with established reporting procedures Develop risk mitigation strategies to resolve vulnerabilities and recommend security changes to system or system components as needed Develop secure code and error handling Develop specific cybersecurity countermeasures and risk mitigation strategies for systems and or applications 33 NIST SP 800-181 DRAFT Task T0079 T0080 T0081 T0082 T0083 T0084 T0085 T0086 T0087 T0088 T0089 T0090 T0091 T0092 T0093 T0094 T0095 T0096 T0097 T0098 T0099 T0100 T0101 T0102 T0103 T0104 T0105 T0106 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Develop specifications to ensure risk compliance and assurance efforts conform with security resilience and dependability requirements at the software application system and network environment level Develop test plans to address specifications and requirements Diagnose network connectivity problem Document and address organization's information security cybersecurity architecture and systems security engineering requirements throughout the acquisition lifecycle Draft statements of preliminary or residual security risks for system operation Employ secure configuration management processes Ensure all systems security operations and maintenance activities are properly documented and updated as necessary Ensure application of security patches for commercial products integrated into system design meet the timelines dictated by the management authority for the intended operational environment Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence Ensure cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level Ensure security improvement actions are evaluated validated and implemented as required Ensure acquired or developed system s and architecture s are consistent with organization's cybersecurity architecture guidelines Ensure that cybersecurity inspections tests and reviews are coordinated for the network environment Ensure that cybersecurity requirements are integrated into the continuity planning for that system and or organization s Ensure that protection and detection capabilities are acquired or developed using the IS security engineering approach and are consistent with organization-level cybersecurity architecture Establish and maintain communication channels with stakeholders Establish overall enterprise information security architecture EISA with the organization’s overall security strategy Establish relationships if applicable between the incident response team and other groups both internal e g legal department and external e g law enforcement agencies vendors and public relations professionals Evaluate and approve development efforts to ensure that baseline security safeguards are appropriately installed Evaluate contracts to ensure compliance with funding legal and program requirements Evaluate cost benefit economic and risk analysis in decision making process Evaluate factors such as reporting formats required cost constraints and need for security restrictions to determine hardware configuration Evaluate the effectiveness and comprehensiveness of existing training programs Evaluate the effectiveness of laws regulations policies standards or procedures Examine recovered data for information of relevance to the issue at hand Fuse computer network attack analyses with criminal and counterintelligence investigations and operations Identify components or elements allocate security functions to those elements and describe the relationships between the elements Identify alternative information security strategies to address organizational security objective 34 NIST SP 800-181 DRAFT Task T0107 T0108 T0109 T0110 T0111 T0112 T0113 T0114 T0115 T0116 T0117 T0118 T0119 T0120 T0121 T0122 T0123 T0124 T0125 T0126 T0127 T0128 T0129 T0130 T0131 T0132 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Identify and direct the remediation of technical problems encountered during testing and implementation of new systems e g identify and find work-arounds for communication protocols that are not interoperable Identify and prioritize critical business functions in collaboration with organizational stakeholders Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability Identify and or determine whether a security incident is indicative of a violation of law that requires specific legal action Identify basic common coding flaws at a high level Identify data or intelligence of evidentiary value to support counterintelligence and criminal investigations Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration Identify elements of proof of the crime Identify information technology IT security program implications of new technologies or technology upgrades Identify organizational policy stakeholders Identify security implications and apply methodologies within centralized and decentralized environments across the enterprises computer systems in software development Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life Identify assess and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure recommended products are in compliance with organization's evaluation and validation requirements Identify collect and seize documentary or physical evidence to include digital media and logs associated with cyber intrusion incidents investigations and operations Implement new system design procedures test procedures and quality standards Implement security designs for new or existing system s Implement specific cybersecurity countermeasures for systems and or applications Incorporate cybersecurity vulnerability solutions into system designs e g Cybersecurity Vulnerability Alerts Install and maintain network infrastructure device operating system software e g IOS firmware Install or replace network hubs routers and switches Integrate and align information security and or cybersecurity policies to ensure system analysis meets security requirements Integrate automated capabilities for updating or patching system software where practical and develop processes and procedures for manual updating and patching of system software based on current and projected patch timeline requirements for the operational environment of the system Integrate new systems into existing network architecture Interface with external organizations e g public affairs law enforcement Command or Component Inspector General to ensure appropriate and accurate dissemination of incident and other Computer Network Defense information Interpret and apply laws regulations policies standards or procedures to specific issues Interpret and or approve security requirements relative to the capabilities of new information technologies 35 NIST SP 800-181 DRAFT Task T0133 T0134 T0135 T0136 T0137 T0138 T0139 T0140 T0141 T0142 T0143 T0144 T0145 T0146 T0147 T0148 T0149 T0150 T0151 T0152 T0153 T0154 T0155 T0156 T0157 T0158 T0159 T0160 T0161 T0162 T0163 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Interpret patterns of non-compliance to determine their impact on levels of risk and or overall effectiveness of the enterprise’s cybersecurity program Lead and align information technology IT security priorities with the security strategy Lead and oversee information security budget staffing and contracting Maintain baseline system security according to organizational policies Maintain database management systems software Maintain deployable cyber defense audit toolkit e g specialized cyber defense software and hardware to support cyber defense audit missions Maintain directory replication services that enable information to replicate automatically from rear servers to forward units via optimized routing Maintain information exchanges through publish subscribe and alert functions that enable users to send and receive critical information as required Maintain information systems assurance and accreditation materials Maintain knowledge of applicable cyber defense policies regulations and compliance documents specifically related to cyber defense auditing Make recommendations based on test results Manage accounts network rights and access to systems and equipment Manage and approve Accreditation Packages e g ISO IEC 15026-2 Manage the compilation cataloging caching distribution and retrieval of data Manage the monitoring of information security data sources to maintain organizational situational awareness Manage the publishing of Computer Network Defense guidance e g TCNOs Concept of Operations Net Analyst Reports NTSM MTOs for the enterprise constituency Manage threat or target analysis of cyber defense information and production of threat information within the enterprise Monitor and evaluate a system's compliance with information technology IT security resilience and dependability requirements Monitor and evaluate the effectiveness of the enterprise's cybersecurity safeguards to ensure they provide the intended level of protection Monitor and maintain databases to ensure optimal performance Monitor network capacity and performance Monitor and report the usage of knowledge management assets and resources Document and escalate incidents including event’s history status and potential impact for further action that may cause ongoing and immediate impact to the environment Oversee and make recommendations regarding configuration management Oversee the information security training and awareness program Participate in an information security risk assessment during the Security Assessment and Authorization process Participate in the development or modification of the computer environment cybersecurity program plans and requirements Patch network vulnerabilities to ensure information is safeguarded against outside parties Perform analysis of log files from a variety of sources e g individual host logs network traffic logs firewall logs and intrusion detection system IDS logs to identify possible threats to network security Perform backup and recovery of databases to ensure data integrity Perform cyber defense incident triage to include determining scope urgency and potential impact identifying the specific vulnerability and making recommendations that enable expeditious remediation 36 NIST SP 800-181 DRAFT Task NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description T0164 Perform cyber defense trend analysis and reporting Perform dynamic analysis to boot an “image” of a drive without necessarily having the T0165 original drive to see the intrusion as the user may have seen it in a native environment Perform event correlation using information gathered from a variety of sources within the T0166 enterprise to gain situational awareness and determine the effectiveness of an observed attack T0167 Perform file signature analysis T0168 Perform hash comparison against established database T0169 Perform cybersecurity testing of developed applications and or systems Perform initial forensically sound collection of images and inspect to discern possible T0170 mitigation remediation on enterprise systems T0171 Perform integrated quality assurance testing for security functionality and resiliency attack T0172 Perform real-time forensic analysis e g using Helix in conjunction with LiveView T0173 Perform timeline analysis Perform needs analysis to determine opportunities for new and improved business process T0174 solutions Perform real-time cyber defense incident handling e g forensic collections intrusion correlation and tracking threat analysis and direct system remediation tasks to support T0175 deployable Incident Response Teams IRTs T0176 Perform secure programming and identify potential flaws in codes to mitigate vulnerabilities Perform security reviews identify gaps in security architecture and develop a security risk T0177 management plan Perform security reviews and identify security gaps in security architecture resulting in T0178 recommendations for the inclusion into the risk mitigation strategy T0179 Perform static media analysis Perform system administration on specialized cyber defense applications and systems e g anti-virus audit and remediation or Virtual Private Network VPN devices to include T0180 installation configuration maintenance backup and restoration Perform risk analysis e g threat vulnerability and probability of occurrence whenever an T0181 application or system undergoes a major change T0182 Perform tier 1 2 and 3 malware analysis Perform validation steps comparing actual results with expected results and analyze the T0183 differences to identify impact and risks Plan and conduct security authorization reviews and assurance case development for initial T0184 installation of systems and networks T0185 Plan and manage the delivery of knowledge management projects T0186 Plan execute and verify data redundancy and system recovery procedures Plan and recommend modifications or adjustments based on exercise results or system T0187 environment Prepare audit reports that identify technical and procedural findings and provide T0188 recommended remediation strategies solutions Prepare detailed workflow charts and diagrams that describe input output and logical T0189 operation and convert them into a series of instructions coded in a computer language Prepare digital media for imaging by ensuring data integrity e g write blockers in T0190 accordance with standard operating procedures T0191 Prepare use cases to justify the need for specific information technology IT solutions Prepare distribute and maintain plans instructions guidance and standard operating T0192 procedures concerning the security of network system s operations T0193 Process crime scenes 37 NIST SP 800-181 DRAFT Task T0194 T0195 T0196 T0197 T0198 T0199 T0200 T0201 T0202 T0203 T0204 T0205 T0206 T0207 T0208 T0209 T0210 T0211 T0212 T0213 T0214 T0215 T0216 T0217 T0218 T0219 T0220 T0221 T0222 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Properly document all systems security implementation operations and maintenance activities and update as necessary Provide a managed flow of relevant information via web-based portals or other means based on mission requirements Provide advice on project costs design concepts or design changes Provide an accurate technical evaluation of the software application system or network documenting the security posture capabilities and vulnerabilities against relevant cybersecurity compliances Provide daily summary reports of network events and activity relevant to cyber defense practices Provide enterprise cybersecurity and supply chain risk management guidance for development of the Continuity of Operations Plans Provide feedback on network requirements including network architecture and infrastructure Provide guidelines for implementing developed systems to customers or installation teams Provide cybersecurity guidance to leadership Provide input on security requirements to be included in statements of work and other appropriate procurement documents Provide input to implementation plans and standard operating procedures Provide input to the Risk Management Framework process activities and related documentation e g system life-cycle support plans concept of operations operational procedures and maintenance training materials Provide leadership and direction to information technology IT personnel by ensuring that cybersecurity awareness basics literacy and training are provided to operations personnel commensurate with their responsibilities Provide ongoing optimization and problem solving support Provide recommendations for possible improvements and upgrades Provide recommendations on data structures and databases that ensure correct and quality production of reports management information Provide recommendations on new database technologies and architectures Provide system related input on cybersecurity requirements to be included in statements of work and other appropriate procurement documents Provide technical assistance on digital evidence matters to appropriate personnel Provide technical documents incident reports findings from computer examinations summaries and other situational awareness information to higher headquarters Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts Recognize a possible security violation and take appropriate action to report the incident as required Recognize and accurately report forensic artifacts indicative of a particular operating system Address security implications in the software acceptance phase including completion criteria risk acceptance and documentation common criteria and methods of independent testing Recommend new or revised security resilience and dependability measures based on the results of reviews Recommend resource allocations required to securely operate and maintain an organization’s cybersecurity requirements Resolve conflicts in laws regulations policies standards or procedures Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application system and network Review existing and proposed policies with stakeholders 38 NIST SP 800-181 DRAFT Task NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description T0223 Review or conduct audits of information technology IT programs and projects Review training documentation e g Course Content Documents CCD lesson plans student T0224 texts examinations Schedules of Instruction SOI and course descriptions T0225 Secure the electronic device or information source T0226 Serve on agency and interagency policy boards T0227 Recommend policy and coordinate review and approval T0228 Store retrieve and manipulate data for analysis of system capabilities and requirements Supervise or manage protective or corrective measures when a cybersecurity incident or T0229 vulnerability is discovered T0230 Support the design and execution of exercise scenarios T0231 Provide support to security certification test and evaluation activities T0232 Test and maintain network infrastructure including software and hardware devices T0233 Track and document cyber defense incidents from initial detection through final resolution T0234 Track audit findings and recommendations to ensure appropriate mitigation actions are taken T0235 Translate functional requirements into technical solutions Translate security requirements into application design elements including documenting the elements of the software attack surfaces conducting threat modeling and defining any T0236 specific security criteria T0237 Troubleshoot system hardware and software T0238 Extract data using data carving techniques e g Forensic Tool Kit FTK Foremost Use federal and organization-specific published documents to manage operations of their T0239 computing environment system s Capture and analyze network traffic associated with malicious activities using network T0240 monitoring tools Use specialized equipment and techniques to catalog document extract collect package and T0241 preserve digital evidence Utilize models and simulations to analyze or predict system performance under different T0242 operating conditions Verify and update security documentation reflecting the application system security design T0243 features Verify that application software network system security postures are implemented as stated T0244 document deviations and recommend required actions to correct those deviations Verify that the software application network system accreditation and assurance T0245 documentation is current Write and publish cyber defense techniques guidance and reports on incident findings to T0246 appropriate constituencies Write instructional materials e g standard operating procedures production manual to T0247 provide detailed guidance to relevant portion of the workforce Promote awareness of security issues among management and ensure sound security T0248 principles are reflected in the organization's vision and goals T0249 Research current technology to understand capabilities of required system or network Identify cyber capabilities strategies for custom hardware and software development based on T0250 mission requirements Develop security compliance processes and or audits for external services e g cloud service T0251 providers data centers Conduct required reviews as appropriate within environment e g Technical Surveillance T0252 Countermeasure Reviews TSCM TEMPEST countermeasure reviews T0253 Conduct cursory binary analysis 39 NIST SP 800-181 DRAFT Task T0254 T0255 T0256 T0257 T0258 T0259 T0260 T0261 T0262 T0263 T0264 T0265 T0266 T0267 T0268 T0269 T0270 T0271 T0272 T0273 T0274 T0275 T0276 T0277 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Oversee policy standards and implementation strategies to ensure procedures and guidelines comply with cybersecurity policies Participate in Risk Governance process to provide security risks mitigations and input on other technical risk Evaluate the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements Determine scope infrastructure resources and data sample size to ensure system requirements are adequately demonstrated Provide timely detection identification and alerting of possible attacks intrusions anomalous activities and misuse activities and distinguish these incidents and events from benign activities Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity Analyze identified malicious activity to determine weaknesses exploited exploitation methods effects on system and information Assist in identifying prioritizing and coordinating the protection of critical cyber defense infrastructure and key resources Employ approved defense-in-depth principles and practices e g defense-in-multiple places layered defenses security robustness Identify security requirements specific to an information technology IT system in all phases of the System Life Cycle Ensure plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments audits inspections etc Assure successful implementation and functionality of security requirements and appropriate information technology IT policies and procedures that are consistent with the organization's mission and goals Perform penetration testing as required for new or updated applications Design countermeasures and mitigations against potential exploitations of programming language weaknesses and vulnerabilities in system and elements Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment Design and develop key management functions as related to cybersecurity Analyze user needs and requirements to plan and conduct system security development Develop cybersecurity designs to meet specific operational needs and environmental factors e g access controls automated applications networked operations high integrity and availability requirements multilevel security processing of multiple classification levels and processing Sensitive Compartmented Information Ensure security design and cybersecurity development activities are properly documented providing a functional description of security implementation and updated as necessary Develop and document supply chain risks for critical system elements as appropriate Create auditable evidence of security measures Support necessary compliance activities e g ensure system security configuration guidelines are followed compliance monitoring occurs Participate in the acquisition process as necessary following appropriate supply chain risk management practices Ensure all acquisitions procurements and outsourcing efforts address information security requirements consistent with organization goals 40 NIST SP 800-181 DRAFT Task T0278 T0279 T0280 T0281 T0282 T0283 T0284 T0285 T0286 T0287 T0288 T0289 T0290 T0291 T0292 T0293 T0294 T0295 T0296 T0297 T0298 T0299 T0300 T0301 T0302 T0303 T0304 T0305 T0306 T0307 T0308 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Collect intrusion artifacts e g source code malware trojans and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise Serve as technical expert and liaison to law enforcement personnel and explain incident details as required Continuously validate the organization against policies guidelines procedures regulations laws to ensure compliance Forecast ongoing service demands and ensure security assumptions are reviewed as necessary Define and or implement policies and procedures to ensure protection of critical infrastructure as appropriate Collaborate with stakeholders to identify and or develop appropriate solutions technology Design and develop new tools technologies as related to cybersecurity Perform virus scanning on digital media Perform file system forensic analysis Perform static analysis to mount an image of a drive without necessarily having the original drive Perform static malware analysis Utilize deployable forensics tool kit to support operations as necessary Determine tactics techniques and procedures TTPs for intrusion sets Examine network topologies to understand data flows through the network Recommend computing environment vulnerability corrections Identify and analyze anomalies in network traffic using metadata e g CENTAUR Conduct research analysis and correlation across a wide variety of all source data sets indications and warnings Validate intrusion detection system IDS alerts against network traffic using packet analysis tools Isolate and remove malware Identify applications and operating systems of a network device based on network traffic Reconstruct a malicious attack or activity based off network traffic Identify network mapping and operating system OS fingerprinting activities Develop and document User Experience UX requirements including information architecture and user interface requirements Develop and Implement cybersecurity independent audit processes for application software networks systems and oversee ongoing independent audits to ensure that operational and Research and Design R D processes and procedures are in compliance with organizational and mandatory cybersecurity requirements and accurately followed by Systems Administrators and other cybersecurity staff when performing their day-to-day activities Develop contract language to ensure supply chain system network and operational security are met Identify and leverage the enterprise-wide version control system while designing and developing secure applications Implement and integrate system development life cycle SDLC methodologies e g IBM Rational Unified Process into development environment Performs configuration management problem management capacity management and financial management for databases and data management systems Supports incident management service level management change management release management continuity management and availability management for databases and data management systems Analyze candidate architectures allocate security services and select security mechanisms Analyze incident data for emerging trends 41 NIST SP 800-181 DRAFT Task NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description T0309 Assess the effectiveness of security controls Assist in the construction of signatures which can be implemented on cyber defense network T0310 tools in response to new or observed threats within the NE or enclave T0311 Consult with customers about software system design and maintenance T0312 Coordinate with intelligence analysts to correlate threat assessment data T0313 Design and document quality standards Develop a system security context a preliminary system security Concept of Operations CONOPS and define baseline system security requirements in accordance with applicable T0314 cybersecurity requirements T0315 Develop and deliver technical training to educate others or meet customer needs T0316 Develop or assist in the development of computer based training modules or classes T0317 Develop or assist in the development of course assignments T0318 Develop or assist in the development of course evaluations T0319 Develop or assist in the development of grading and proficiency standards Assist in the development of individual collective development training and or remediation T0320 plans T0321 Develop or assist in the development of learning objectives and goals T0322 Develop or assist in the development of on-the-job training materials or programs Develop or assist in the development of written tests for measuring and assessing learner T0323 proficiency T0324 Direct software programming and development of documentation T0325 Document a system's purpose and preliminary system security concept of operations T0326 Employ configuration management processes T0327 Evaluate network infrastructure vulnerabilities to enhance capabilities being developed Evaluate security architectures and designs to determine the adequacy of security design and architecture proposed or provided in response to requirements contained in acquisition T0328 documents T0329 Follow software and systems engineering life cycle standards and processes T0330 Maintain assured message delivery systems T0331 Maintain incident tracking and solution database Notify designated managers cyber incident responders and cybersecurity service provider team members of suspected cyber incidents and articulate the event's history status and potential impact for further action in accordance with the organization's cyber incident T0332 response plan T0333 Perform cyber defense trend analysis and reporting Ensure that all systems components can be integrated and aligned e g procedures databases T0334 policies software and hardware T0335 Build install configure and test dedicated cyber defense hardware T0336 Withdrawn Integrated with T0228 Supervise and assign work to programmers designers technologists and technicians and other T0337 engineering and scientific personnel T0338 Write detailed functional specifications that document the architecture development process Leads efforts to promote the organization's use of knowledge management and information T0339 sharing Act as a primary stakeholder in the underlying information technology IT operational processes and functions that support the service provide direction and monitor all significant T0340 activities so the service is delivered successfully 42 NIST SP 800-181 DRAFT Task T0341 T0342 T0343 T0344 T0345 T0346 T0347 T0348 T0349 T0350 T0351 T0352 T0353 T0354 T0355 T0356 T0357 T0358 T0359 T0360 T0361 T0362 T0363 T0364 T0365 T0366 T0367 T0368 T0369 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Advocate for adequate funding for cyber training resources to include both internal and industry-provided courses instructors and related materials Analyze data sources to provide actionable recommendations Analyze the crisis situation to ensure public personal and resource protection Assess all the configuration management change configuration release management processes Assess effectiveness and efficiency of instruction according to ease of instructional technology use and student learning knowledge transfer and satisfaction Assess the behavior of the individual victim witness or suspect as it relates to the investigation Assess the validity of source data and subsequent findings Assist in assessing the impact of implementing and sustaining a dedicated cyber defense infrastructure Collect metrics and trending data Conduct a market analysis to identify assess and recommend commercial GOTS and open source products for use within a system and ensure recommended products are in compliance with organization's evaluation and validation requirements Conduct hypothesis testing using statistical processes Conduct learning needs assessments and identify requirements Confer with systems analysts engineers programmers and others to design application Coordinate and manage the overall service provided to a customer end-to-end Coordinate with internal and external subject matter experts to ensure existing qualification standards reflect organizational functional requirements and meet industry standards Coordinate with organizational manpower stakeholders to ensure appropriate allocation and distribution of human capital assets Create interactive learning exercises to create an effective learning environment Design and develop system administration and management functionality for privileged access users Design implement test and evaluate secure interfaces between information systems physical systems and or embedded technologies Determine the extent of threats and recommend courses of action or countermeasures to mitigate risks Develop and facilitate data-gathering methods Develop and implement standardized position descriptions based on established cyber work roles Develop and review recruiting hiring and retention procedures in accordance with current Human Resource HR policies Develop cyber career field classification structure to include establishing career field entry requirements and other nomenclature such as codes and identifiers Develop or assist in the development of training policies and protocols for cyber training Develop strategic insights from large data sets Develop the goals and objectives for cyber curriculum Ensure cyber career fields are managed in accordance with organizational Human Resource HR policies and directives Ensure cyber workforce management policies and processes comply with legal and organizational requirements regarding equal opportunity diversity and fair hiring employment practices 43 NIST SP 800-181 DRAFT Task T0370 T0371 T0372 T0373 T0374 T0375 T0376 T0377 T0378 T0379 T0380 T0381 T0382 T0383 T0384 T0385 T0386 T0387 T0388 T0389 T0390 T0391 T0392 T0393 T0394 T0395 T0396 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Ensure that appropriate Service Level Agreements SLAs and underpinning contracts have been defined that clearly set out for the customer a description of the service and the measures for monitoring the service Establish acceptable limits for the software application network or system Establish and collect metrics to monitor and validate cyber workforce readiness including analysis of cyber workforce data to assess the status of positions identified filled and filled with qualified personnel Establish and oversee waiver processes for cyber career field entry and training qualification requirements Establish cyber career paths to allow career progression deliberate development and growth within and between cyber career fields Establish manpower personnel and qualification data element standards to support cyber workforce management and reporting requirements Establish resource implement and assess cyber workforce management programs in accordance with organizational requirements Gather feedback on customer satisfaction and internal service performance to foster continual improvement Incorporates risk-driven systems maintenance updates process to address system deficiencies periodically and out of cycle Manage the internal relationship with information technology IT process owners supporting the service assisting with the definition and agreement of Operating Level Agreements OLAs Plan instructional strategies such as lectures demonstrations interactive exercises multimedia presentations video courses web-based courses for most effective learning environment in conjunction with educators and trainers Present technical information to technical and non-technical audiences Present data in creative formats Program custom algorithms Promote awareness of cyber policy and strategy as appropriate among management and ensure sound principles are reflected in the organization's mission vision and goals Provide actionable recommendations to critical stakeholders based on data analysis and findings Provide criminal investigative support to trial counsel during the judicial process Review and apply cyber career field qualification standards Review and apply organizational policies related to or having an effect on the cyber workforce Review service performance reports identifying any significant issues and variances initiating where necessary corrective actions and ensuring that all outstanding issues are followed up Review Assess cyber workforce effectiveness to adjust skill and or qualification standards Support integration of qualified cyber workforce personnel into information systems lifecycle development processes Utilize technical documentation or resources to implement a new mathematical data science or computer science method Validate specifications and requirements for testability Work with other service managers and product owners to balance and prioritize services to meet overall customer requirements constraints and objectives Write and publish after action reviews Process image with appropriate tools depending on analyst’s goals 44 NIST SP 800-181 DRAFT Task NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description T0397 Perform Windows registry analysis Perform file and registry monitoring on the running system after identifying intrusion via T0398 dynamic analysis Enter media information into tracking database e g Product Tracker Tool for digital media T0399 that has been acquired T0400 Correlate incident data and perform cyber defense reporting Maintain deployable cyber defense toolkit e g specialized cyber defense software hardware T0401 to support IRT mission T0402 Effectively allocate storage capacity in the design of data management systems Read interpret write modify and execute simple scripts e g PERL VBS on Windows and UNIX systems e g those that perform tasks such as parsing large data files automating T0403 manual tasks and fetching processing remote data Utilize different programming languages to write code open files read files and write output T0404 to different files Utilize opens source language such as R and apply quantitative techniques e g descriptive and inferential statistics sampling experimental design parametric and non-parametric tests T0405 of difference ordinary least squares regression general line Ensure design and development activities are properly documented providing a functional T0406 description of implementation and updated as necessary T0407 Participate in the acquisition process as necessary Interpret and apply applicable laws statutes and regulatory documents and integrate into T0408 policy Troubleshoot prototype design and process issues throughout the product design T0409 development and pre-launch phases Identify functional- and security-related features to find opportunities for new capability T0410 development to exploit or mitigate vulnerabilities Identify and or develop reverse engineering tools to enhance capabilities and detect T0411 vulnerabilities T0412 Conduct import export reviews for acquiring systems and software Develop data management capabilities e g cloud based centralized cryptographic key T0413 management to include support to the mobile workforce T0414 Develop supply chain system network performance and cyber security requirements Ensure supply chain system network performance and cyber security requirements are T0415 included in contract language and delivered Enable applications with public keying by leveraging existing public key infrastructure PKI libraries and incorporating certificate management and encryption functionalities when T0416 appropriate Identify and leverage the enterprise-wide security services while designing and developing secure applications e g Enterprise PKI Federated Identity server Enterprise Anti-Virus T0417 solution when appropriate T0418 Install update and troubleshoot systems servers Acquire and maintain a working knowledge of constitutional issues relevant laws regulations T0419 policies agreements standards procedures or other issuances Administer test bed s and test and evaluate applications hardware infrastructure rules signatures access controls and configurations of platforms managed by service T0420 provider s Manage the indexing cataloguing storage and access of explicit organizational knowledge T0421 e g hard copy documents digital files T0422 Implement data management standards requirements and specifications 45 NIST SP 800-181 DRAFT Task NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description T0423 Analyze computer-generated threats for counter intelligence or criminal activity Analyze and provide information to stakeholders that will support the development of security T0424 application or modification of an existing security application T0425 Analyze organizational cyber policy T0426 Analyze the results of software hardware or interoperability testing T0427 Analyze user needs and requirements to plan architecture Analyze security needs and software requirements to determine feasibility of design within T0428 time and cost constraints and security mandates Assess policy needs and collaborate with stakeholders to develop policies to govern cyber T0429 activities T0430 Gather and preserve evidence used on the prosecution of computer crimes T0431 Check system hardware availability functionality integrity and efficiency Collect and analyze intrusion artifacts e g source code malware and system configuration and use discovered data to enable mitigation of potential cyber defense incidents within the T0432 enterprise Conduct analysis of log files evidence and other information in order to determine best T0433 methods for identifying the perpetrator s of a network intrusion or other crimes Conduct framing of pleadings to properly identify alleged violations of law regulations or T0434 policy guidance Conduct periodic system maintenance including cleaning both physically and electronically T0435 disk checks routine reboots data dumps and testing Conduct trial runs of programs and software applications to ensure the desired information is T0436 produced and instructions and security levels are correct T0437 Correlates training and learning to business or mission requirements Create edit and manage network access control lists on specialized cyber defense systems T0438 e g firewalls and intrusion prevention systems Detect and analyze encrypted data stenography alternate data streams and other forms of T0439 concealed data Captures and integrates essential system capabilities or business functions required for partial T0440 or full system restoration after a catastrophic failure event T0441 Define and integrate current and future mission environments T0442 Create training courses tailored to the audience and physical environment T0443 Deliver training courses tailored to the audience and physical virtual environments T0444 Apply concepts procedures software equipment and or technology applications to students Design integrate a cyber strategy that outlines the vision mission and goals that align with the T0445 organization’s strategic plan Design develop integrate and update system security measures that provide confidentiality T0446 integrity availability authentication and non-repudiation Design hardware operating systems and software applications to adequately address T0447 requirements T0448 Develop enterprise architecture or system components required to meet user needs Design to security requirements to ensure requirements are met for all systems and or T0449 applications T0450 Design training curriculum and course content based on requirements T0451 Participate in development of training curriculum and course content Design build implement and maintain a knowledge management framework that provides T0452 end-users access to the organization’s intellectual capital Determine and develop leads and identify sources of information in order to identify and or T0453 prosecute the responsible parties to an intrusion or other crimes 46 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Task Description T0454 T0455 T0456 T0457 T0458 T0459 T0460 T0461 Define baseline security requirements in accordance with applicable guidelines Develop software system testing and validation procedures programming and documentation Develop secure software testing and validation procedures Develop system testing and validation procedures programming and documentation Comply with organization systems administration standard operating procedures Implement data mining and data warehousing applications Develop and implement data mining and data warehousing programs Implement and enforce local network usage policies and procedures Develop procedures and test fail-over for system operations transfer to an alternate site based on system availability requirements Develop cost estimates for new or modified system s Develop detailed design documentation for component and interface specifications to support system design and development Develop guidelines for implementation Develop mitigation strategies to address cost schedule performance and security risks Ensure training meets the goals and objectives for cybersecurity training education or awareness Diagnose and resolve customer reported system incidents problems and events Analyze and report organizational security posture trends Analyze and report system security posture trends Document original condition of digital and or associated evidence e g via digital photographs written reports hash function checking Draft staff and publish cyber policy Document and update as necessary all definition and architecture activities Provide legal analysis and decisions to inspector generals privacy officers oversight and compliance personnel with regard to compliance with cybersecurity policies and relevant legal and regulatory requirements Assess adequate access controls based on principles of least privilege and need-to-know Evaluate the impact of changes to laws regulations policies standards or procedures Ensure the execution of disaster recovery and continuity of operations Provide guidance on laws regulations policies standards or procedures to management personnel or clients Employ information technology IT systems and digital storage media to solve investigate and or prosecute cybercrimes and fraud committed against people and property Identify components or elements allocate comprehensive functional components to include security functions and describe the relationships between the elements Identify and address cyber workforce planning and management issues e g recruitment retention and training Make recommendations based on trend analysis for enhancements to software and hardware solutions to enhance customer experience Identify potential conflicts with implementation of any cyber defense tools e g tool and signature testing and optimization Document the protection needs i e security controls for the information system s and network s and document appropriately Implement security measures to resolve vulnerabilities mitigate risks and recommend security changes to system or system components as needed T0462 T0463 T0464 T0465 T0466 T0467 T0468 T0469 T0470 T0471 T0472 T0473 T0474 T0475 T0476 T0477 T0478 T0479 T0480 T0481 T0482 T0483 T0484 T0485 47 NIST SP 800-181 DRAFT Task T0486 T0487 T0488 T0489 T0490 T0491 T0492 T0493 T0494 T0495 T0496 T0497 T0498 T0499 T0500 T0501 T0502 T0503 T0504 T0505 T0506 T0507 T0508 T0509 T0510 T0511 T0512 T0513 T0514 T0515 T0516 T0517 T0518 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Implement Risk Management Framework RMF Security Assessment and Authorization SA A requirements for dedicated cyber defense systems within the enterprise and document and maintain records for them Facilitate implementation of new or revised laws regulations executive orders policies standards or procedures Implement designs for new or existing system s Implement system security measures in accordance with established procedures to ensure confidentiality integrity availability authentication and non-repudiation Install and configure database management systems and software Install and configure hardware software and peripheral equipment for system users in accordance with organizational standards Ensure the integration and implementation of Cross-Domain Solutions CDS in a secure environment Lead and oversee budget staffing and contracting Administer accounts network rights and access to systems and equipment Manage Accreditation Packages e g ISO IEC 15026-2 Perform asset management inventory of information technology IT resources Manage the information technology IT planning process to ensure that developed solutions meet customer requirements Manage system server resources including performance capacity availability serviceability and recoverability Mitigate correct security deficiencies identified during security certification testing and or recommend risk acceptance for the appropriate senior leader or authorized representative Modify and maintain existing software to correct errors to adapt it to new hardware or to upgrade interfaces and improve performance Monitor and maintain system server configuration Monitor and report client-level computer system performance Monitor external data sources e g cyber defense vendor sites Computer Emergency Response Teams Security Focus to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise Assess and monitor cybersecurity related to system implementation and testing practices Monitor the rigorous application of cyber policies principles and practices in the delivery of planning and management services Seek consensus on proposed policy changes from stakeholders Oversee installation implementation configuration and support of system components Verify minimum security requirements are in place for all applications Perform an information security risk assessment Coordinate incident response functions Perform developmental testing on systems under development Perform interoperability testing on systems exchanging electronic information with other systems Perform operational testing Diagnose faulty system server hardware Perform repairs on faulty system server hardware Perform secure program testing review and or assessment to identify potential flaws in codes and mitigate vulnerabilities Integrate results regarding the identification of gaps in security architecture Perform security reviews and identify security gaps in architecture 48 NIST SP 800-181 DRAFT Task T0519 T0520 T0521 T0522 T0523 T0524 T0525 T0526 T0527 T0528 T0529 T0530 T0531 T0532 T0533 T0534 T0535 T0536 T0537 T0538 T0539 T0540 T0541 T0542 T0543 T0544 T0545 T0546 T0547 T0548 T0549 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Plan and coordinate the delivery of classroom techniques and formats e g lectures demonstrations interactive exercises multimedia presentations for most effective learning environment Plan non-classroom educational techniques and formats e g video courses mentoring webbased courses Plan implementation strategy to ensure enterprise components can be integrated and aligned Prepare legal and other relevant documents e g depositions briefs affidavits declarations appeals pleadings discovery Prepare reports to document the investigation following legal standards and requirements Promote knowledge sharing between information owners users through an organization’s operational processes and systems Provide enterprise cybersecurity and supply chain risk management guidance Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities Provide input to implementation plans and standard operating procedures as they relate to information systems security Provide input to implementation plans standard operating procedures maintenance documentation and maintenance training materials Provide policy guidance to cyber management staff and users Develop a trend analysis and impact report Troubleshoot hardware software interface and interoperability problems Review forensic images and other data sources e g volatile data for recovery of potentially relevant information Review conduct or participate in audits of cyber programs and projects Conduct periodic reviews revisions of course content for accuracy completeness alignment and currency e g course content documents lesson plans student texts examinations schedules of instruction and course descriptions Recommend revisions to curriculum end course content based on feedback from previous training sessions Serve as an internal consultant and advisor in own area of expertise e g technical copyright print media electronic media Support the CIO in the formulation of cyber-related policies Provide support to test and evaluation activities Test evaluate and verify hardware and or software to determine compliance with defined specifications and requirements Record and manage test data Trace system requirements to design components and perform gap analysis Translate proposed capabilities into technical requirements Use data carving techniques e g FTK-Foremost to extract data for further analysis Verify stability interoperability portability and or scalability of system architecture Work with stakeholders to resolve computer security incidents and vulnerability compliance Write and publish cyber defense recommendations reports and white papers on incident findings to appropriate constituencies Research and evaluate available technologies and standards to meet customer requirements Provide advice and input for Disaster Recovery Contingency and Continuity of Operations Plans Perform technical evaluation of technology and non-technical evaluation of people and operations risk and vulnerability assessments of relevant technology focus areas e g local 49 NIST SP 800-181 DRAFT Task T0550 T0551 T0552 T0553 T0554 T0555 T0556 T0557 T0558 T0559 T0560 T0561 T0562 T0563 T0564 T0565 T0566 T0567 T0568 T0569 T0570 T0571 T0572 T0573 T0574 T0575 T0576 T0577 T0578 T0579 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description computing environment network and infrastructure enclave boundary supporting infrastructure and applications Make recommendations regarding the selection of cost-effective security controls to mitigate risk e g protection of information systems and processes Draft and publish supply chain security and risk management documents Review and approve a supply chain security risk management policy Apply cybersecurity functions e g encryption access control and identity management to reduce exploitation opportunities Determine and document software patches or the extent of releases that would leave software vulnerable Document how the implementation of a new system or new interface between systems impacts the current and target environment including but not limited to security posture Assess and design security management functions as related to cyberspace Integrate key management functions as related to cyberspace Analyze user needs and requirements to plan and conduct system development Develop designs to meet specific operational needs and environmental factors e g access controls automated applications networked operations Collaborate on cybersecurity designs to meet specific operational needs and environmental factors e g access controls automated applications networked operations high integrity and availability requirements multilevel security processing of multiple classification levels and processing Sensitive Compartmented Information Accurately characterize targets Adjust collection operations or collection plan to address identified issues challenges and to synchronize collections with overall operational requirements Provide input to the analysis design development or acquisition of capabilities used for meeting objectives Analyze feedback to determine extent to which collection products and services are meeting requirements Analyze incoming collection requests Analyze own operational architecture tools and procedures for ways to improve performance Analyze target operational architecture for ways to gain access Analyze plans directives guidance and policy for factors that would influence collection management's operational structure and requirement s e g duration scope communication requirements interagency international agreements Answer requests for information Apply and utilize authorized cyber capabilities to enable access to targeted networks Apply expertise in policy and processes to facilitate the development negotiation and internal staffing of plans and or memorandums of agreement Apply cyber collection environment preparation and engagement expertise to enable new exploitation and or continued collection operations or in support of customer requirements Assess and apply operational environment factors and risks to collection management process Apply and obey applicable statutes laws regulations and policies Coordinate for intelligence support to operational planning activities Assess all-source intelligence and recommend targets to support cyber operation objectives Assess efficiency of existing information exchange and management systems Assess performance of collection assets against prescribed specifications Assess target vulnerabilities and or operational capabilities to determine course of action 50 NIST SP 800-181 DRAFT Task T0580 T0581 T0582 T0583 T0584 T0585 T0586 T0587 T0588 T0589 T0590 T0591 T0592 T0593 T0594 T0595 T0596 T0597 T0598 T0599 T0600 T0601 T0602 T0603 T0604 T0605 T0606 T0607 T0608 T0609 T0610 T0611 T0612 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Assess the effectiveness of collections in satisfying priority information gaps using available capabilities and methods and then adjust collection strategies and collection requirements accordingly Assist and advise inter-agency partners in identifying and developing best practices for facilitating operational support to achievement of organization objectives Provide expertise to course of action development Provide subject matter expertise to the development of a common operational picture Maintain a common intelligence picture Provide subject matter expertise to the development of cyber operations specific indicators Assist in the coordination validation and management of all-source collection requirements plans and or activities Assist in the development and refinement of priority information requirements Provide expertise to the development of measures of effectiveness and measures of performance Assist in the identification of intelligence collection shortfalls Enable synchronization of intelligence support plans across partner organizations as required Perform analysis for target infrastructure exploitation activities Provide input to the identification of cyber-related success criteria Brief threat and or target current situations Build and maintain electronic target folders Classify documents in accordance with classification guidelines Close requests for information once satisfied Collaborate with intelligence analysts targeting organizations involved in related areas Collaborate with development organizations to create and deploy the tools needed to achieve objectives Collaborate with other customer Intelligence and targeting organizations involved in related cyber areas Collaborate with other internal and external partner organizations on target access and operational issues Collaborate with other team members or partner organizations to develop a diverse program of information materials e g web pages briefings print materials Collaborates with customer to define information requirements Communicate new developments breakthroughs challenges and lessons learned to leadership and internal and external customers Compare allocated and available assets to collection demand as expressed through requirements Compile lessons learned from collection management activity's execution of organization collection objectives Compile integrate and or interpret all-source data for intelligence or vulnerability value with respect to specific targets Identify and conduct analysis of target communications to identify information essential to support operations Conduct analysis of physical and logical digital technologies e g wireless SCADA telecom to identify potential avenues of access Conduct access enabling of wireless computer and digital networks Conduct collection and processing of wireless computer and digital networks Conduct end-of-operations assessments Conduct exploitation of wireless computer and digital networks 51 NIST SP 800-181 DRAFT Task T0613 T0614 T0615 T0616 T0617 T0618 T0619 T0620 T0621 T0622 T0623 T0624 T0625 T0626 T0627 T0628 T0629 T0630 T0631 T0632 T0633 T0634 T0635 T0636 T0637 T0638 T0639 T0640 T0641 T0642 T0643 T0644 T0645 T0646 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Conduct formal and informal coordination of collection requirements in accordance with established guidelines and procedures Conduct independent in-depth target and technical analysis including target-specific information e g cultural organizational political that results in access Conduct in-depth research and analysis Conduct network scouting and vulnerability analyses of systems within a network Conduct nodal analysis Conduct on-net activities to control and exfiltrate data from deployed technologies Conduct on-net and off-net activities to control and exfiltrate data from deployed automated technologies Conduct open source data collection via various online tools Conduct quality control in order to determine validity and relevance of information gathered about networks Develop review and implement all levels of planning guidance in support of cyber operations Conduct survey of computer and digital networks Conduct target research and analysis Consider efficiency and effectiveness of collection assets and resources if when applied against priority information requirements Construct collection plans and matrixes using established guidance and procedures Contribute to crisis action planning for cyber operations Contribute to the development of the organization's decision support tools if necessary Contribute to the development staffing and coordination of cyber operations policies performance standards plans and approval packages with appropriate internal and or external decision makers Incorporate intelligence equities into the overall design of cyber operations plans Coordinate resource allocation of collection assets against prioritized collection requirements with collection discipline leads Coordinate inclusion of collection plan in appropriate documentation Coordinate target vetting with appropriate partners Re-task or re-direct collection assets and resources Coordinate with intelligence and cyber defense partners to obtain relevant essential information Coordinate with intelligence planners to ensure collection managers receive information requirements Coordinate with the intelligence planning team to assess capability to satisfy assigned intelligence tasks Coordinate produce and track intelligence requirements Coordinate synchronize and draft applicable intelligence sections of cyber operations plans Uses intelligence estimates to counter potential target actions Create comprehensive exploitation strategies that identify exploitable technical or operational vulnerabilities Maintain awareness of internal and external cyber organization structures strengths and employments of staffing and technology Deploy tools to a target and utilize them once deployed e g backdoors sniffers Detect exploits against targeted networks and hosts and react accordingly Determine course of action for addressing changes to objectives guidance and operational environment Determine existing collection management webpage databases libraries and storehouses 52 NIST SP 800-181 DRAFT Task T0647 T0648 T0649 T0650 T0651 T0652 T0653 T0654 T0655 T0656 T0657 T0658 T0659 T0660 T0661 T0662 T0663 T0664 T0665 T0666 T0667 T0668 T0669 T0670 T0671 T0672 T0673 T0674 T0675 T0676 T0677 T0678 T0679 T0680 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Determine how identified factors affect the tasking collection processing exploitation and dissemination architecture's form and function Determine indicators e g measures of effectiveness that are best suited to specific cyber operation objectives Determine organizations and or echelons with collection authority over all accessible collection assets Determine what technologies are used by a given target Develop a method for comparing collection reports to outstanding requirements to identify information gaps Develop all-source intelligence targeting materials Apply analytic techniques to gain more target information Develop and maintain deliberate and or crisis plans Develop and review specific cyber operations guidance for integration into broader planning activities Develop and review intelligence guidance for integration into supporting cyber operations planning and execution Develop coordinating instructions by collection discipline for each phase of an operation Develop cyber operations plans and guidance to ensure that execution and resource allocation decisions align with organization objectives Develop detailed intelligence support to cyber operations requirements Develop information requirements necessary for answering priority information requests Develop measures of effectiveness and measures of performance Allocate collection assets based on leadership's guidance priorities and or operational emphasis Develop munitions effectiveness assessment or operational assessment materials Develop new techniques for gaining and keeping access to target systems Develop or participate in the development of standards for providing requesting and or obtaining support from external partners to synchronize cyber operations Develop or shape international cyber engagement strategies policies and activities to meet organization objectives Develop potential courses of action Develop procedures for providing feedback to collection managers asset managers and processing exploitation and dissemination centers Develop strategy and processes for partner planning operations and capability development Develop implement and recommend changes to appropriate planning procedures and policies Develop maintain and assess cyber cooperation security agreements with external partners Devise document and validate cyber operation strategy and planning documents Disseminate reports to inform decision makers on collection issues Disseminate tasking messages and collection plans Conduct and document an assessment of the collection results using established procedures Draft cyber intelligence collection and production requirements Edit or execute simple scripts e g PERL VBS on Windows and UNIX systems Engage customers to understand customers’ intelligence needs and wants Ensure operational planning efforts are effectively transitioned to current operations Ensure that intelligence planning activities are integrated and synchronized with operational planning timelines 53 NIST SP 800-181 DRAFT Task T0681 T0682 T0683 T0684 T0685 T0686 T0687 T0688 T0689 T0690 T0691 T0692 T0693 T0694 T0695 T0696 T0697 T0698 T0699 T0700 T0701 T0702 T0703 T0704 T0705 T0706 T0707 T0708 T0709 T0710 T0711 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Establish alternative processing exploitation and dissemination pathways to address identified issues or problems Validate the link between collection requests and critical information requirements and priority intelligence requirements of leadership Establish processing exploitation and dissemination management activity using approved guidance and or procedures Estimate operational effects generated through cyber activities Evaluate threat decision-making processes Identify threat vulnerabilities Identify threats to Blue Force vulnerabilities Evaluate available capabilities against desired effects in order to recommend efficient solutions Evaluate extent to which collected information and or produced intelligence satisfy information requests Evaluate intelligence estimates to support the planning cycle Evaluate the conditions that affect employment of available cyber intelligence capabilities Generate and evaluate the effectiveness of network analysis strategies Evaluate extent to which collection operations are synchronized with operational requirements Evaluate the effectiveness of collection operations against the collection plan Examine intercept-related metadata and content with an understanding of targeting significance Exploit network devices security devices and or terminals or environments using various methods or tools Facilitate access enabling by physical and or wireless means Facilitate continuously updated intelligence surveillance and visualization input to common operational picture managers Facilitate interactions between internal and external partner decision makers to synchronize and integrate courses of action in support of objectives Facilitate the sharing of “best practices” and “lessons learned” throughout the cyber operations community Collaborate with developers conveying target and technical knowledge in tool requirements submissions to enhance tool development Formulate collection strategies based on knowledge of available intelligence discipline capabilities and gathering methods that align multi-discipline collection capabilities and accesses with targets and their observables Gather and analyze data e g measures of effectiveness to determine effectiveness and provide reporting for follow-on activities Incorporate cyber operations and communications security support plans into organization objectives Incorporate intelligence and counterintelligence to support plan development Gather information about networks through traditional and alternative techniques e g social network analysis call-chaining traffic analysis Generate requests for information Identify threat tactics and methodologies Identify all available partner intelligence capabilities and limitations supporting cyber operations Identify and evaluate threat critical capabilities requirements and vulnerabilities Identify draft evaluate and prioritize relevant intelligence or information requirements 54 NIST SP 800-181 DRAFT Task NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description T0712 Identify and manage security cooperation priorities with external partners Identify and submit intelligence requirements for the purposes of designating priority T0713 information requirements Identify collaboration forums that can serve as mechanisms for coordinating processes T0714 functions and outputs with specified organizations and functional groups T0715 Identify collection gaps and potential collection strategies against targets T0716 Identify coordination requirements and procedures with designated collection authorities T0717 Identify critical target elements T0718 Identify intelligence gaps and shortfalls T0719 Identify cyber intelligence gaps and shortfalls Identify gaps in our understanding of target technology and developing innovative collection T0720 approaches Identify issues or problems that can disrupt and or degrade processing exploitation and T0721 dissemination architecture effectiveness Identify network components and their functionality to enable analysis and target T0722 development Identify potential collection disciplines for application against priority information T0723 requirements T0724 Identify potential points of strength and vulnerability within a network Identify and mitigate risks to collection management ability to support the plan operations T0725 and target cycle Identify the need scope and timeframe for applicable intelligence environment preparation T0726 derived production T0727 Identify locate and track targets via geospatial analysis techniques T0728 Provide input to or develop courses of action based on threat factors Inform external partners of the potential effects of new or revised policy and guidance on T0729 cyber operations partnering activities Inform stakeholders e g collection managers asset managers processing exploitation and T0730 dissemination centers of evaluation results using established procedures T0731 Initiate requests to guide tasking and assist with collection management T0732 Integrate cyber planning targeting efforts with other organizations T0733 Interpret environment preparations assessments to determine a course of action T0734 Issue requests for information T0735 Lead and coordinate intelligence support to operational planning Lead or enable exploitation operations in support of organization objectives and target T0736 requirements T0737 Link priority collection requirements to optimal assets and resources Maintain awareness of advancements in hardware and software technologies e g attend T0738 training or conferences reading and their potential implications Maintain relationships with internal and external partners involved in cyber planning or T0739 related areas T0740 Maintain situational awareness and functionality of organic operational infrastructure Maintain situational awareness of cyber-related intelligence requirements and associated T0741 tasking T0742 Maintain situational awareness of partner capabilities and activities Maintain situational awareness to determine if changes to the operating environment require T0743 review of the plan T0744 Maintain target lists i e RTL JTL CTL etc 55 NIST SP 800-181 DRAFT Task NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description T0745 Make recommendations to guide collection in support of customer requirements T0746 Modify collection requirements as necessary Monitor and evaluate integrated cyber operations to identify opportunities to meet T0747 organization objectives Monitor and report changes in threat dispositions activities tactics capabilities objectives T0748 etc as related to designated cyber operations warning problem sets T0749 Monitor and report on validated threat activities T0750 Monitor completion of reallocated collection efforts Monitor open source websites for hostile content directed towards organizational or partner T0751 interests Monitor operational environment and report on adversarial activities which fulfill leadership’s T0752 priority information requirements Monitor operational status and effectiveness of the processing exploitation and dissemination T0753 architecture Monitor target networks to provide indications and warning of target communications changes T0754 or processing failures Monitor the operational environment for potential factors and risks to the collection operation T0755 management process T0756 Operate and maintain automated systems for gaining and maintaining access to target systems Optimize mix of collection assets and resources to increase effectiveness and efficiency T0757 against essential information associated with priority intelligence requirements Produce timely fused all-source cyber operations intelligence and or indications and warnings intelligence products e g threat assessments briefings intelligence studies country T0758 studies Contribute to the review and refinement of policy to include assessments of the consequences T0759 of endorsing or not endorsing such policy Provide subject matter expertise to planning teams coordination groups and task forces as T0760 necessary Provide SME and support to planning developmental forums and working groups as T0761 appropriate T0762 Provide subject matter expertise in course of action development Conduct long-range strategic planning efforts with internal and external partners in cyber T0763 activities Provide subject matter expertise to planning efforts with internal and external cyber operations T0764 partners T0765 Provide subject matter expertise to development of exercises T0766 Propose policy which governs interactions with external coordination groups T0767 Perform content and or metadata analysis to meet organization objectives Conduct cyber activities to degrade remove information resident in computers and computer T0768 networks T0769 Perform targeting automation activities T0770 Develop website characterizations T0771 Provide subject matter expertise to website characterizations T0772 Prepare for and provide subject matter expertise to exercises T0773 Prioritize collection requirements for collection platforms based on platform capabilities T0774 Process exfiltrated data for analysis and or dissemination to customers T0775 Produce network reconstructions T0776 Produce target system analysis products 56 NIST SP 800-181 DRAFT Task NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description T0777 Profile network or system administrators and their activities T0778 Profile targets and their activities Provide advice assistance to operations and intelligence decision makers with reassignment of T0779 collection assets and resources in response to dynamic operational situations Provide advisory and advocacy support to promote collection planning as an integrated T0780 component of the strategic campaign plans and other adaptive plans T0781 Provide aim point and re-engagement recommendations T0782 Provide analyses and support for effectiveness assessment T0783 Provide current intelligence support to critical internal external stakeholders as appropriate T0784 Provide cyber focused guidance and advice on intelligence support plan inputs Provide evaluation and feedback necessary for improving intelligence production intelligence T0785 reporting collection requirements and operations Provide information and assessments for the purposes of informing leadership and customers developing and refining objectives supporting operation planning and execution and T0786 assessing the effects of operations Provide input for the development and refinement of the cyber operations objectives T0787 priorities strategies plans and programs T0788 Provide input and assist in post-action effectiveness assessments T0789 Provide input and assist in the development of plans and guidance T0790 Provide input for targeting effectiveness assessments for leadership acceptance T0791 Provide input to the administrative and logistical elements of an operational support plan Provide intelligence analysis and support to designated exercises planning activities and time T0792 sensitive operations T0793 Provide effectiveness support to designated exercises and or time sensitive operations T0794 Provide operations and re-engagement recommendations T0795 Provide planning support between internal and external partners T0796 Provide real-time actionable geolocation information T0797 Provide target recommendations which meet leadership objectives T0798 Provide targeting products and targeting support as designated T0799 Provide time sensitive targeting support Provide timely notice of imminent or hostile intentions or activities which may impact T0800 organization objectives resources or capabilities Recommend refinement adaption termination and execution of operational plans as T0801 appropriate Review appropriate information sources to determine validity and relevance of information T0802 gathered T0803 Reconstruct networks in diagram or report format Record information collection and or environment preparation activities against targets during T0804 operations designed to achieve cyber effects T0805 Report intelligence-derived significant network events and intrusions Request discipline-specific processing exploitation and disseminate information collected using discipline's collection assets and resources in accordance with approved guidance and or T0806 procedures Research communications trends in emerging technologies in computer and telephony T0807 networks satellite cable and wireless in both open and classified sources T0808 Review and comprehend organizational leadership objectives and guidance for planning T0809 Review capabilities of allocated collection assets T0810 Review intelligence collection guidance for accuracy applicability 57 NIST SP 800-181 DRAFT Task NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description T0811 Review list of prioritized collection requirements and essential information T0812 Review and update overarching collection plan as required Review approve prioritize and submit operational requirements for research development T0813 and or acquisition of cyber capabilities T0814 Revise collection matrix based on availability of optimal assets and resources T0815 Sanitize and minimize information to protect sources and methods T0816 Scope the cyber intelligence planning effort Serve as a conduit of information from partner teams by identifying subject matter experts T0817 who can assist in the investigation of complex or unusual situations T0818 Serve as a liaison with external partners Solicit and manage to completion feedback from requestors on quality timeliness and T0819 effectiveness of collection against collection requirements Specify changes to collection plan and or operational environment that necessitate re-tasking T0820 or re-directing of collection assets and resources T0821 Specify discipline-specific collections and or taskings that must be executed in the near term Submit information requests to collection requirement management section for processing as T0822 collection requests T0823 Submit or respond to requests for deconfliction of cyber operations T0824 Support identification and documentation of collateral effects Synchronize cyber international engagement activities and associated resource requirements as T0825 appropriate T0826 Synchronize cyber portions of security cooperation plans Synchronize the integrated employment of all available organic and partner intelligence T0827 collection assets using available collaboration capabilities and techniques T0828 Test and evaluate locally developed tools for operational use T0829 Test internal developed tools and techniques against target tools Track status of information requests including those processed as collection requests and T0830 production requirements using established procedures T0831 Translate collection requests into applicable discipline-specific collection requirements Use feedback results e g lesson learned to identify opportunities to improve collection T0832 management efficiency and effectiveness T0833 Validate requests for information according to established criteria Work closely with planners intelligence analysts and collection managers to ensure T0834 intelligence requirements and collection plans are accurate and up-to-date Work closely with planners analysts and collection managers to identify intelligence gaps T0835 and ensure intelligence requirements are accurate and up-to-date T0836 Document lessons learned that convey the results of events and or exercises Advise managers and operators on language and cultural issues that impact organization T0837 objectives T0838 Analyze and process information using language and or cultural expertise Assess document and apply a target's motivation and or frame of reference to facilitate T0839 analysis targeting and collection opportunities Collaborate across internal and or external organizational lines to enhance collection analysis T0840 and dissemination Conduct all-source target research to include the use of open source materials in the target T0841 language Conduct analysis of target communications to identify essential information in support of T0842 organization objectives 58 NIST SP 800-181 DRAFT Task NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description T0843 Perform quality review and provide feedback on transcribed or translated materials Evaluate and interpret metadata to look for patterns anomalies or events thereby optimizing T0844 targeting analysis and processing T0845 Identify cyber threat tactics and methodologies T0846 Identify target communications within the global network Maintain awareness of target communication tools techniques and the characteristics of target communication networks e g capacity functionality paths critical nodes and their T0847 potential implications for targeting collection and analysis T0848 Provide feedback to collection managers to enhance future collection and analysis T0849 Perform foreign language and dialect identification in initial source data T0850 Perform or support technical network analysis and mapping T0851 Provide requirements and feedback to optimize the development of language processing tools T0852 Perform social network analysis and document as appropriate Scan identify and prioritize target graphic including machine-to-machine communications T0853 and or voice language material T0854 Tip critical or time-sensitive information to appropriate customers T0855 Transcribe target voice materials in the target language T0856 Translate e g verbatim gists and or summaries target graphic material T0857 Translate e g verbatim gists and or summaries target voice material Identify foreign language terminology within computer programs e g comments variable T0858 names T0859 Provide near-real time language analysis support e g live operations T0860 Identify cyber technology-related terminology in the target language Work with the general counsel external affairs and businesses to ensure both existing and new T0861 services comply with privacy and data security obligations Work with legal counsel and management key departments and committees to ensure the organization has and maintains appropriate privacy and confidentiality consent authorization forms and information notices and materials reflecting current organization and legal practices T0862 and requirements Coordinate with the appropriate regulating bodies to ensure that programs policies and procedures involving civil rights civil liberties and privacy considerations are addressed in an T0863 integrated and comprehensive manner T0864 Liaise with regulatory and accrediting bodies Work with external affairs to develop relationships with regulators and other government T0865 officials responsible for privacy and data security issues Maintain current knowledge of applicable federal and state privacy laws and accreditation standards and monitor advancements in information privacy technologies to ensure T0866 organizational adaptation and compliance Ensure all processing and or databases are registered with the local privacy data protection T0867 authorities where required Work with business teams and senior management to ensure awareness of “best practices” on T0868 privacy and data security issues Work with organization senior management to establish an organization-wide Privacy T0869 Oversight Committee T0870 Serve in a leadership role for Privacy Oversight Committee activities T0871 Collaborate on cyber privacy and security policies and procedures Collaborate with cyber security personnel on the security risk assessment process to address T0872 privacy compliance and risk mitigation 59 NIST SP 800-181 DRAFT Task T0873 T0874 T0875 T0876 T0877 T0878 T0879 T0880 T0881 T0882 T0883 T0884 T0885 T0886 T0887 T0888 T0889 T0890 T0891 T0892 T0893 T0894 T0895 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Interface with Senior Management to develop strategic plans for the collection use and sharing of information in a manner that maximizes its value while complying with applicable privacy regulations Provide strategic guidance to corporate officers regarding information resources and technology Assist the Security Officer with the development and implementation of an information infrastructure Coordinate with the Corporate Compliance Officer re procedures for documenting and reporting self-disclosures of any evidence of privacy violations Work cooperatively with applicable organization units in overseeing consumer information access rights Serve as the information privacy liaison for users of technology systems Act as a liaison to the information systems department Develop privacy training materials and other communications to increase employee understanding of company privacy policies data handling practices and procedures and legal obligations Oversee direct deliver or ensure delivery of initial privacy training and orientation to all employees volunteers contractors alliances business associates and other appropriate third parties Conduct on-going privacy training and awareness activities Work with external affairs to develop relationships with consumer organizations and other NGOs with an interest in privacy and data security issues—and to manage company participation in public events related to privacy and data security Work with organization administration legal counsel and other related parties to represent the organization’s information privacy interests with external parties including government bodies which undertake to adopt or amend privacy legislation regulation or standard Report on a periodic basis regarding the status of the privacy program to the Board CEO or other responsible individual or committee Work with External Affairs to respond to press and other inquiries with regard to concern over consumer and employee data Provide leadership for the organization’s privacy program Direct and oversee privacy specialists and coordinate privacy and data security programs with senior executives globally to ensure consistency across the organization Ensure compliance with privacy practices and consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce extended workforce and for all business associates in cooperation with Human Resources the information security officer administration and legal counsel as applicable Develop appropriate sanctions for failure to comply with the corporate privacy policies and procedures Resolve allegations of non-compliance with the corporate privacy policies or notice of information practices Develop and coordinate a risk management and compliance framework for privacy Undertake a comprehensive review of the company’s data and privacy projects and ensure that they are consistent with corporate privacy and data security goals and policies Develop and manage enterprise-wide procedures to ensure the development of new products and services is consistent with company privacy policies and legal obligations Establish a process for receiving documenting tracking investigating and taking action on all complaints concerning the organization’s privacy policies and procedures 60 NIST SP 800-181 DRAFT Task T0896 T0897 T0898 T0899 T0900 T0901 T0902 T0903 T0904 T0905 T0906 T0907 T0908 T0909 T0910 T0911 T0912 T0913 T0914 T0915 T0916 T0917 T0918 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Establish with management and operations a mechanism to track access to protected health information within the purview of the organization and as required by law and to allow qualified individuals to review or receive a report on such activity Provide leadership in the planning design and evaluation of privacy and security related projects Establish an internal privacy audit program Periodically revise the privacy program in light of changes in laws regulatory or company policy Provide development guidance and assist in the identification implementation and maintenance of organization information privacy policies and procedures in coordination with organization management and administration and legal counsel Assure that the use of technologies maintain and do not erode privacy protections on use collection and disclosure of personal information Monitor systems development and operations for security and privacy compliance Conduct privacy impact assessments of proposed rules on the privacy of personal information including the type of personal information collected and the number of people affected Conduct periodic information privacy impact assessments and ongoing compliance monitoring activities in coordination with the organization’s other compliance and operational assessment functions Review all system-related information security plans to ensure alignment between security and privacy practices Work with all organization personnel involved with any aspect of release of protected information to ensure coordination with the organization’s policies procedures and legal requirements Account for and administer individual requests for release or disclosure of personal and or protected information Develop and manage procedures for vetting and auditing vendors for compliance with the privacy and data security policies and legal requirements Participate in the implementation and ongoing compliance monitoring of all trading partner and business associate agreements to ensure all privacy concerns requirements and responsibilities are addressed Act as or work with counsel relating to business partner contracts Mitigate effects of a use or disclosure of personal information by employees or business partners Develop and apply corrective action procedures Administer action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions and when necessary legal counsel Support the organization’s privacy compliance program working closely with the Privacy Officer Chief Information Security Officer and other business leaders to ensure compliance with federal and state privacy laws and regulations Identify and correct potential company compliance gaps and or areas of risk to ensure full compliance with privacy regulations Manage privacy incidents and breaches in conjunction with the Privacy Officer Chief Information Security Officer legal counsel and the business units Coordinate with the Chief Information Security Officer to ensure alignment between security and privacy practices Establish implement and maintains organization-wide policies and procedures to comply with privacy regulations 61 NIST SP 800-181 DRAFT Task T0919 T0920 T0921 T0922 T0923 T0924 T0925 T0926 T0927 T0928 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Task Description Ensure that the company maintains appropriate privacy and confidentiality notices consent and authorization forms and materials Develop and maintain appropriate communications and training to promote and educate all workforce members and members of the Board regarding privacy compliance issues and requirements and the consequences of non-compliance Determine business partner requirements related to the organization’s privacy program Establish and administer a process for receiving documenting tracking investigating and taking corrective action as appropriate on complaints concerning the company’s privacy policies and procedures Cooperate with the relevant regulatory agencies and other legal entities and organization officers in any compliance reviews or investigations Perform ongoing privacy compliance monitoring activities Monitor advancements in information privacy technologies to ensure organization adoption and compliance Develop or assist with the development of privacy training materials and other communications to increase employee understanding of company privacy policies data handling practices and procedures and legal obligations Appoint and guide a team of IT security experts Collaborate with key stakeholders to establish a cybersecurity risk management program 835 62 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 836 A 5 837 838 839 840 841 842 843 Table 6 provides a listing of specific knowledge that might be demonstrated by a person in a given cybersecurity position Selected knowledge descriptions from this list are included in the Detailed Work Role Listing in Appendix B Because the knowledge aspects have evolved over many years and are expected to continue to do so they are not sorted in a particular order and will simply continue to grow sequentially NCWF Knowledge Descriptions Table 6 - NCWF Knowledge Descriptions ID K0001 K0002 K0003 K0004 K0005 K0006 K0007 K0008 K0009 K0010 K0011 K0012 K0013 K0014 K0015 K0016 K0017 K0018 K0019 K0020 K0021 K0022 K0023 K0024 K0025 K0026 K0027 K0028 Description Knowledge of computer networking concepts and protocols and network security methodologies Knowledge of risk management processes e g methods for assessing and mitigating risk Knowledge of national and international laws regulations policies and ethics as they relate to cybersecurity Knowledge of cybersecurity principles Knowledge of cyber threats and vulnerabilities Knowledge of specific operational impacts of cybersecurity lapses Knowledge of authentication authorization and access control methods Knowledge of applicable business processes and operations of customer organizations Knowledge of application vulnerabilities Knowledge of communication methods principles and concepts e g crypto dual hubs time multiplexers that support the network infrastructure Knowledge of capabilities and applications of network equipment including hubs routers switches bridges servers transmission media and related hardware Knowledge of capabilities and requirements analysis Knowledge of cyber defense and vulnerability assessment tools including open source tools and their capabilities Knowledge of complex data structures Knowledge of computer algorithms Knowledge of computer programming principles such as object-oriented design Knowledge of concepts and practices of processing digital forensic data Knowledge of encryption algorithms e g Internet Protocol Security IPSEC Advanced Encryption Standard AES Generic Routing Encapsulation GRE Internet Key Exchange IKE Message Digest Algorithm MD5 Secure Hash Algorithm SHA Triple Data Encryption Standard 3DES Knowledge of cryptography and cryptographic key management concepts Knowledge of data administration and data standardization policies and standards Knowledge of data backup types of backups e g full incremental and recovery concepts and tools Knowledge of data mining and data warehousing principles Knowledge of database management systems query languages table relationships and views Knowledge of database systems Knowledge of digital rights management Knowledge of disaster recovery continuity of operations plans Knowledge of organization's enterprise information security architecture system Knowledge of organization's evaluation and validation requirements 63 NIST SP 800-181 DRAFT ID K0029 K0030 K0031 K0032 K0033 K0034 K0035 K0036 K0037 K0038 K0039 K0040 K0041 K0042 K0043 K0044 K0045 K0046 K0047 K0048 K0049 K0050 K0051 K0052 K0053 K0054 K0055 K0056 K0057 K0058 K0059 K0060 K0061 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of organization's LAN WAN pathways Knowledge of electrical engineering as applied to computer architecture including circuit boards processors chips and associated computer hardware Knowledge of enterprise messaging systems and associated software Knowledge of fault tolerance Knowledge of host network access control mechanisms e g access control list Knowledge of how network services and protocols interact to provide network communications Knowledge of how system components are installed integrated and optimized Knowledge of human-computer interaction principles Knowledge of the Security Assessment and Authorization process Knowledge of cybersecurity principles used to manage risks related to the use processing storage and transmission of information or data Knowledge of cybersecurity principles and methods that apply to software development Knowledge of known vulnerabilities from alerts advisories errata and bulletins Knowledge of incident categories incident responses and timelines for responses Knowledge of incident response and handling methodologies Knowledge of industry-standard and organizationally accepted analysis principles and methods Knowledge of cybersecurity principles and organizational requirements relevant to confidentiality integrity availability authentication non-repudiation Knowledge of information security systems engineering principles Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies Knowledge of information technology IT architectural concepts and frameworks Knowledge of Risk Management Framework RMF requirements Knowledge of information technology IT security principles and methods e g firewalls demilitarized zones encryption Knowledge of local area and wide area networking principles and concepts including bandwidth management Knowledge of low-level computer languages e g assembly languages Knowledge of mathematics including logarithms trigonometry linear algebra calculus and statistics Knowledge of measures or indicators of system performance and availability Knowledge of current industry methods for evaluating implementing and disseminating information technology IT security assessment monitoring detection and remediation tools and procedures utilizing standards-based concepts and capabilities Knowledge of microprocessors Knowledge of network access identity and access management e g public key infrastructure PKI Knowledge of network hardware devices and functions Knowledge of network traffic analysis methods Knowledge of new and emerging information technology IT and cybersecurity technologies Knowledge of operating systems Knowledge of how traffic flows across the network e g Transmission Control Protocol TCP and Internet Protocol IP Open System Interconnection Model OSI Information Technology Infrastructure Library current version ITIL 64 NIST SP 800-181 DRAFT ID K0062 K0063 K0064 K0065 K0066 K0067 K0068 K0069 K0070 K0071 K0072 K0073 K0074 K0075 K0076 K0077 K0078 K0079 K0080 K0081 K0082 K0083 K0084 K0085 K0086 K0087 K0088 K0089 K0090 K0091 K0092 K0093 K0094 K0095 K0096 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of packet-level analysis Knowledge of parallel and distributed computing concepts Knowledge of performance tuning tools and techniques Knowledge of policy-based and risk adaptive access controls Knowledge of Privacy Impact Assessments Knowledge of process engineering concepts Knowledge of programming language structures and logic Knowledge of query languages such as SQL structured query language Knowledge of system and application security threats and vulnerabilities e g buffer overflow mobile code cross-site scripting Procedural Language Structured Query Language PL SQL and injections race conditions covert channel replay return-oriented attacks malicious code Knowledge of remote access technology concepts Knowledge of resource management principles and techniques Knowledge of secure configuration management techniques Knowledge of key concepts in security management e g Release Management Patch Management Knowledge of security system design tools methods and techniques Knowledge of server administration and systems engineering theories concepts and methods Knowledge of server and client operating systems Knowledge of server diagnostic tools and fault identification techniques Knowledge of software debugging principles Knowledge of software design tools methods and techniques Knowledge of software development models e g Waterfall Model Spiral Model Knowledge of software engineering Knowledge of sources characteristics and uses of the organization’s data assets Knowledge of structured analysis principles and methods Knowledge of system and application security threats and vulnerabilities Knowledge of system design tools methods and techniques including automated systems analysis and design tools Knowledge of system software and organizational design standards policies and authorized approaches e g International Organization for Standardization ISO guidelines relating to system design Knowledge of systems administration concepts Knowledge of systems diagnostic tools and fault identification techniques Knowledge of system life cycle management principles including software security and usability Knowledge of systems testing and evaluation methods Knowledge of technology integration processes Knowledge of key telecommunications concepts e g Routing Algorithms Fiber Optics Systems Link Budgeting Add Drop Multiplexers Knowledge of the capabilities and functionality associated with various content creation technologies e g wikis social networking blogs Knowledge of the capabilities and functionality associated with various technologies for organizing and managing information e g databases bookmarking engines Knowledge of the capabilities and functionality of various collaborative technologies e g groupware SharePoint 65 NIST SP 800-181 DRAFT ID K0097 K0098 K0099 K0100 K0101 K0102 K0103 K0104 K0105 K0106 K0107 K0108 K0109 K0110 K0111 K0112 K0113 K0114 K0115 K0116 K0117 K0118 K0119 K0120 K0121 K0122 K0123 K0124 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of the characteristics of physical and virtual data storage media Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization Knowledge of the common networking protocols e g TCP IP services e g web mail Domain Name Server and how they interact to provide network communications Knowledge of the enterprise information technology IT architecture Knowledge of the organization’s enterprise information technology IT goals and objectives Knowledge of the systems engineering process Knowledge of the type and frequency of routine maintenance needed to keep equipment functioning properly Knowledge of Virtual Private Network VPN security Knowledge of web services including service-oriented architecture Simple Object Access Protocol and web service description language Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities Knowledge of and experience in Insider Threat investigations reporting investigative tools and laws regulations Knowledge of basic concepts terminology and operations of a wide range of communications media computer and telephone networks satellite fiber wireless Knowledge of basic physical computer components and architectures including the functions of various components and peripherals e g CPUs Network Interface Cards data storage Knowledge of common adversary tactics techniques and procedures in assigned area of responsibility i e historical country-specific tactics techniques and procedures emerging capabilities Knowledge of common network tools e g ping traceroute nslookup and interpret the information results Knowledge of defense-in-depth principles and network security architecture Knowledge of different types of network communication e g LAN WAN MAN WLAN WWAN Knowledge of electronic devices e g computer systems components access control devices digital cameras electronic organizers hard drives memory cards modems network components printers removable storage devices scanners telephones copiers credit card skimmers facsimile machines global positioning systems GPSs Knowledge of emerging computer-based technology that has potential for exploitation by adversaries Knowledge of file extensions e g dll bat zip pcap gzip Knowledge of file system implementations e g New Technology File System NTFS File Allocation Table FAT File Extension EXT Knowledge of processes for seizing and preserving digital evidence e g chain of custody Knowledge of hacking methodologies in Windows or Unix Linux environment Knowledge of how information needs and collection requirements are translated tracked and prioritized across the extended enterprise Knowledge of information security program management and project management principles and techniques Knowledge of investigative implications of hardware Operating Systems and network technologies Knowledge of legal governance related to admissibility e g Federal Rules of Evidence Knowledge of multiple cognitive domains and appropriate tools and methods for learning in each domain 66 NIST SP 800-181 DRAFT ID K0125 K0126 K0127 K0128 K0129 K0130 K0131 K0132 K0133 K0134 K0135 K0136 K0137 K0138 K0139 K0140 K0141 K0142 K0143 K0144 K0145 K0146 K0147 K0148 K0149 K0150 K0151 K0152 K0153 K0154 K0155 K0156 K0157 K0158 K0159 K0160 K0161 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of processes for collecting packaging transporting and storing electronic evidence to avoid alteration loss physical damage or destruction of data Knowledge of secure acquisitions e g relevant Contracting Officer's Technical Representative COTR duties secure procurement supply chain risk management Knowledge of the nature and function of the relevant information structure e g National Information Infrastructure Knowledge of types and collection of persistent data Knowledge of Unix command line e g mkdir mv ls passwd grep Knowledge of virtualization technologies and virtual machine development and maintenance Knowledge of web mail collection searching analyzing techniques tools and cookies Knowledge of which system files e g log files registry files configuration files contain relevant information and where to find those system files Knowledge of types of digital forensics data and how to recognize them Knowledge of deployable forensics Knowledge of web filtering technologies Knowledge of the capabilities of different electronic communication systems and methods e g e-mail VOIP IM web forums Direct Video Broadcasts Knowledge of the range of existing networks e g PBX LANs WANs WIFI SCADA Knowledge of Wi-Fi Knowledge of interpreted and compiled computer languages Knowledge of secure coding techniques Withdrawn – Integrated into K0420 Knowledge of collection management processes capabilities and limitations Knowledge of front-end collection systems including network traffic collection filtering and selection Knowledge of social dynamics of computer attackers in a global context Knowledge of security event correlation tools Knowledge of the organization's core business mission processes Knowledge of emerging security issues risks and vulnerabilities Knowledge of import export control regulations and responsible agencies for the purposes of reducing supply chain risk Knowledge of organization's risk tolerance and or risk management approach Knowledge of enterprise incident response program roles and responsibilities Knowledge of current and emerging threats threat vectors Knowledge of software related information technology IT security principles and methods e g modularization layering abstraction data hiding simplicity minimization Knowledge of software quality assurance process Knowledge of supply chain risk management standards processes and practices Knowledge of electronic evidence law Knowledge of legal rules of evidence and court procedure Knowledge of cyber defense policies procedures and regulations Knowledge of organizational information technology IT user security policies e g account creation password rules access control Knowledge of Voice over IP VoIP Knowledge of the common attack vectors on the network layer Knowledge of different classes of attacks e g passive active insider close-in distribution 67 NIST SP 800-181 DRAFT ID K0162 K0163 K0164 K0165 K0166 K0167 K0168 K0169 K0170 K0171 K0172 K0173 K0174 K0175 K0176 K0177 K0178 K0179 K0180 K0181 K0182 K0183 K0184 K0185 K0186 K0187 K0188 K0189 K0190 K0191 K0192 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of different operational threat environments e g first generation script kiddies second generation non- nation state sponsored and third generation nation state sponsored Knowledge of critical information technology IT procurement requirements Knowledge of functionality quality and security requirements and how these will apply to specific items of supply i e elements and processes Knowledge of risk threat assessment Knowledge of the nature and function of the relevant information structure Knowledge of basic system administration network and operating system hardening techniques Knowledge of applicable laws e g Electronic Communications Privacy Act Foreign Intelligence Surveillance Act Protect America Act search and seizure laws civil liberties and privacy laws statutes e g in Titles 10 18 32 50 in U S Code Presidential Directives executive branch guidelines and or administrative criminal legal guidelines and procedures relevant to work performed Knowledge of information technology IT supply chain security and risk management policies requirements and procedures Knowledge of local specialized system requirements e g critical infrastructure systems that may not use standard information technology IT for safety performance and reliability Knowledge of hardware reverse engineering techniques Knowledge of middleware e g enterprise service bus and message queuing Withdrawn – Integrated into K0499 Knowledge of networking protocols Knowledge of software reverse engineering techniques Knowledge of Extensible Markup Language XML schemas Knowledge of general attack stages e g foot printing and scanning enumeration gaining access escalation or privileges maintaining access network exploitation covering tracks Knowledge of secure software deployment methodologies tools and practices Knowledge of network security architecture concepts including topology protocols components and principles e g application of defense-in-depth Knowledge of network systems management principles models methods e g end-to-end systems performance monitoring and tools Knowledge of transmission records e g Bluetooth Radio Frequency Identification RFID Infrared Networking IR Wireless Fidelity Wi-Fi paging cellular satellite dishes and jamming techniques that enable transmission of undesirable information or prevent installed systems from operating correctly Knowledge of data carving tools and techniques e g Foremost Knowledge of reverse engineering concepts Knowledge of anti-forensics tactics techniques and procedures Knowledge of common forensics tool configuration and support applications e g VMWare WIRESHARK Knowledge of debugging procedures and tools Knowledge of how different file types can be used for anomalous behavior Knowledge of malware analysis tools e g Oily Debug Ida Pro Knowledge of virtual machine aware malware debugger aware malware and packing Knowledge of encryption methodologies Knowledge of signature implementation impact Knowledge of Windows Unix ports and services 68 NIST SP 800-181 DRAFT ID K0193 K0194 K0195 K0196 K0197 K0198 K0199 K0200 K0201 K0202 K0203 K0204 K0205 K0206 K0207 K0208 K0209 K0210 K0211 K0212 K0213 K0214 K0215 K0216 K0217 K0218 K0219 K0220 K0221 K0222 K0223 K0224 K0225 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of advanced data remediation security features in databases Knowledge of Cloud-based knowledge management technologies and concepts related to security governance procurement and administration Knowledge of data classification standards and methodologies based on sensitivity and other risk factors Knowledge of Import Export Regulations related to cryptography and other security technologies Knowledge of Java-based database access application programming interface API e g Java Database Connectivity JDBC Knowledge of organizational process improvement concepts and process maturity models e g Capability Maturity Model Integration CMMI for Development CMMI for Services and CMMI for Acquisitions Knowledge of security architecture concepts and enterprise architecture reference models e g Zachman Federal Enterprise Architecture FEA Knowledge of service management concepts for networks and related standards e g Information Technology Infrastructure Library current version ITIL Knowledge of symmetric key rotation techniques and concepts Knowledge of the application firewall concepts and functions e g Single point of authentication audit policy enforcement message scanning for malicious content data anonymization for PCI and PII compliance data loss protection scanning accelerated cryptographic operations SSL security REST JSON processing Knowledge of security models e g Bell-LaPadula model Biba integrity model ClarkWilson integrity model Knowledge of assessment techniques rubrics evaluation plans tests quizzes Knowledge of basic system network and OS hardening techniques Knowledge of ethical hacking principles and techniques Knowledge of circuit analysis Knowledge of computer based training and e-learning services Knowledge of covert communication techniques Knowledge of data backup and restoration concepts Knowledge of confidentiality integrity and availability requirements Knowledge of cybersecurity-enabled software products Knowledge of instructional design and evaluation models e g ADDIE Smith Ragan model Gagne’s Events of Instruction Kirkpatrick’s model of evaluation Knowledge of the Risk Management Framework Assessment Methodology Knowledge of organizational training policies Knowledge of learning levels i e Bloom’s Taxonomy of learning Knowledge of Learning Management Systems and their use in managing learning Knowledge of learning styles e g assimilator auditory kinesthetic Knowledge of local area network LAN and wide area network WAN principles Knowledge of modes of learning e g rote learning observation Knowledge of OSI model and underlying network protocols e g TCP IP Knowledge of relevant laws legal authorities restrictions and regulations pertaining to cyber defense activities Withdrawn – integrated into K0073 Knowledge of system administration concepts for Unix Linux and or Windows operating systems Knowledge of the common networking protocol and services deployed at CC S A 69 NIST SP 800-181 DRAFT ID K0226 K0227 K0228 K0229 K0230 K0231 K0232 K0233 K0234 K0235 K0236 K0237 K0238 K0239 K0240 K0241 K0242 K0243 K0244 K0245 K0246 K0247 K0248 K0249 K0250 K0251 K0252 K0253 K0254 K0255 K0256 K0257 K0258 K0259 K0260 K0261 K0262 K0263 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of organizational training systems Knowledge of various types of computer architectures Knowledge of taxonomy and semantic ontology theory Knowledge of applications that can log errors exceptions and application faults and logging Knowledge of cloud service models and possible limitations for an incident response Knowledge of crisis management protocols processes and techniques Knowledge of critical protocols e g IPSEC AES GRE IKE Knowledge of the National Cybersecurity Workforce Framework work roles and associated tasks knowledge skills and abilities Knowledge of full spectrum cyber capabilities Knowledge of how to leverage government research and development centers think tanks academic research and industry systems Knowledge of how to utilize Hadoop Java Python SQL Hive and PIG to explore data Knowledge of industry best practices for service desk Knowledge of machine learning theory and principles Knowledge of media production communication and dissemination techniques and methods including alternative ways to inform via written oral and visual media Knowledge of multi-level security cross domain solutions Knowledge of organizational human resource policies processes and procedures Knowledge of organizational security policies Knowledge of organizational training and education policies processes and procedures Knowledge of physical and physiological behaviors that may indicate suspicious or abnormal activity Knowledge of principles and processes for conducting training and education needs assessment Knowledge of relevant concepts procedures software equipment and technology applications Knowledge of remote access processes tools and capabilities related to customer support Knowledge of strategic theory and practice Knowledge of sustainment technologies processes and strategies Knowledge of Test Evaluation processes Knowledge of the judicial process including the presentation of facts and evidence Knowledge of training and education principles and methods for curriculum design teaching and instruction for individuals and groups and the measurement of training and education effects Withdrawn – Integrated into K0227 Knowledge of binary analysis Knowledge of network architecture concepts including topology protocols and components Withdrawn – Integrated into K0224 Knowledge of information technology IT acquisition procurement requirements Knowledge of test procedures principles and methodologies e g Capabilities and Maturity Model Integration CMMI Knowledge of malware analysis concepts and methodologies Knowledge of Personally Identifiable Information PII data security standards Knowledge of Payment Card Industry PCI data security standards Knowledge of Personal Health Information PHI data security standards Knowledge of information technology IT risk management policies requirements and procedures 70 NIST SP 800-181 DRAFT ID K0264 K0265 K0266 K0267 K0268 K0269 K0270 K0271 K0272 K0273 K0274 K0275 K0276 K0277 K0278 K0279 K0280 K0281 K0282 K0283 K0284 K0285 K0286 K0287 K0288 K0289 K0290 K0291 K0292 K0293 K0294 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of program protection planning to include information technology IT supply chain security risk management policies anti-tampering techniques and requirements Knowledge of infrastructure supporting information technology IT for safety performance and reliability Knowledge of how to evaluate the trustworthiness of the supplier and or product Knowledge of relevant laws policies procedures or governance related to critical infrastructure Knowledge of forensic footprint identification Knowledge of mobile communications architecture Knowledge of the acquisition procurement life cycle process Knowledge of operating system structures and internals e g process management directory structure installed applications Knowledge of network analysis tools used to identify software communications vulnerabilities Knowledge of general kill chain e g footprinting and scanning enumeration gaining access escalation of privileges maintaining access network exploitation covering tracks Knowledge of transmission records e g Bluetooth Radio Frequency Identification RFID Infrared Networking IR Wireless Fidelity Wi-Fi paging cellular satellite dishes Voice over Internet Protocol VoIP and jamming techniques that enable transmission of undesirable information or prevent installed systems from operating correctly Knowledge of configuration management techniques Knowledge of security management Knowledge of current and emerging data encryption e g Column and Tablespace Encryption file and disk encryption security features in databases including built-in cryptographic key management features Knowledge of current and emerging data remediation security features in databases Knowledge of database access application programming interfaces APIs e g Java Database Connectivity JDBC Knowledge of systems engineering theories concepts and methods Knowledge of information technology IT service catalogues Withdrawn – Integrated into K0200 Knowledge of use cases related to collaboration and content synchronization across platforms e g Mobile PC Cloud Knowledge of developing and applying user credential management system Knowledge of implementing enterprise key escrow systems to support data-at-rest encryption Knowledge of N-tiered typologies including server and client operating systems Knowledge of an organization's information classification program and procedures for information compromise Knowledge of industry standard security models Knowledge of system server diagnostic tools and fault identification techniques Knowledge of systems security testing and evaluation methods Knowledge of the enterprise information technology IT architectural concepts and patterns to include baseline and target architectures Knowledge of the operations and processes for incident problem and event management Knowledge of integrating the organization’s goals and objectives into the architecture Knowledge of IT system operation maintenance and security needed to keep equipment functioning properly 71 NIST SP 800-181 DRAFT ID K0295 K0296 K0297 K0298 K0299 K0300 K0301 K0302 K0303 K0304 K0305 K0306 K0307 K0308 K0309 K0310 K0311 K0312 K0313 K0314 K0315 K0316 K0317 K0318 K0319 K0320 K0321 K0322 K0323 K0324 K0325 K0326 K0327 K0328 K0329 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of confidentiality integrity and availability principles Knowledge of capabilities applications and potential vulnerabilities of network equipment including hubs routers switches bridges servers transmission media and related hardware Knowledge of countermeasure design for identified security risks Knowledge of countermeasures for identified security risks Knowledge in determining how a security system should work including its resilience and dependability capabilities and how changes in conditions operations or the environment will affect these outcomes Knowledge of network mapping and recreating network topologies Knowledge of packet-level analysis using appropriate tools e g Wireshark tcpdump Knowledge of the basic operation of computers Knowledge of the use of sub-netting tools Knowledge of basic concepts and practices of processing digital forensic data Knowledge of encryption algorithms stenography and other forms of data concealment Knowledge of basic physical computer components and architectures Knowledge of common network tools e g ping traceroute nslookup Knowledge of cryptology Knowledge of emerging technologies that have potential for exploitation by adversaries Knowledge of hacking methodologies Knowledge of industry indicators useful for identifying technology trends Knowledge of intelligence principles policies and procedures including legal authorities and restrictions Knowledge of external organizations and academic institutions with cyber focus e g cyber curriculum training and Research Development Knowledge of industry technologies and how differences affect exploitation vulnerabilities Knowledge of the principal methods procedures and techniques of gathering information and producing reporting and sharing information Knowledge of business or military operation plans concept operation plans orders policies and standing rules of engagement Knowledge of procedures used for documenting and querying reported incidents problems and events Knowledge of operating system command line prompt Knowledge of technical delivery capabilities and their limitations Knowledge of organization's evaluation and validation criteria Knowledge of engineering concepts as applied to computer architecture and associated computer hardware software Knowledge of embedded systems Knowledge of system fault tolerance methodologies Knowledge of Intrusion Detection System IDS Intrusion Prevention System IPS tools and applications Knowledge of Information Theory e g source coding channel coding algorithm complexity theory and data compression Knowledge of cybersecurity methods such as firewalls demilitarized zones and encryption Knowledge of local area network LAN wide area network WAN and enterprise principles and concepts including bandwidth management Knowledge of mathematics including logarithms trigonometry linear algebra calculus statistics and operational analysis Knowledge of statistics 72 NIST SP 800-181 DRAFT ID K0330 K0331 K0332 K0333 K0334 K0335 K0336 K0337 K0338 K0339 K0340 K0341 K0342 K0343 K0344 K0345 K0346 K0347 K0348 K0349 K0350 K0351 K0352 K0353 K0354 K0355 K0356 K0357 K0358 K0359 K0360 K0361 K0362 K0363 K0364 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of successful capabilities to identify the solutions to less common and more complex system problems Knowledge of network protocols e g Transmission Critical Protocol TCP Internet Protocol IP Dynamic Host Configuration Protocol DHCP and directory services e g Domain Name System DNS Knowledge of network protocols such as TCP IP Dynamic Host Configuration Domain Name System DNS and directory services Knowledge of network design processes to include understanding of security objectives operational objectives and tradeoffs Knowledge of network traffic analysis tools methodologies processes Knowledge of current and emerging cyber technologies Knowledge of access authentication methods Withdrawn – Integrated into K0007 Knowledge of data mining techniques Knowledge of how to use network analysis tools to identify vulnerabilities Knowledge of how traffic flows across the network e g Transmission Control Protocol TCP Internet Protocol IP Open System Interconnection Model OSI Knowledge of foreign disclosure policies and import export control regulations as related to cybersecurity Knowledge of penetration testing principles tools and techniques Knowledge of root cause analysis techniques Knowledge of threat environments Knowledge of cyber attackers e g script kiddies insider threat non-nation state sponsored and nation sponsored Knowledge of principles and methods for integrating system components Knowledge and understanding of operational design Knowledge of a wide range of basic communications media concepts and terminology e g computer and telephone networks satellite cable wireless Knowledge of a wide range of concepts associated with websites e g website types administration functions software systems etc Knowledge of accepted organization planning systems Knowledge of all applicable statutes laws regulations and policies governing cyber targeting and exploitation Knowledge of all forms of intelligence support needs topics and focus areas Knowledge of all possible circumstances that would result in changing collection management authorities Knowledge of all relevant reporting and dissemination procedures Knowledge of all-source reporting and dissemination procedures Knowledge of analytic tools and techniques Knowledge of analytical constructs and their use in assessing the operational environment Knowledge of analytical standards and the purpose of intelligence confidence levels Knowledge of approved intelligence dissemination processes Knowledge of assembly code Knowledge of asset availability capabilities and limitations Knowledge of attack methods and techniques DDoS brute force spoofing etc Knowledge of auditing and logging procedures including server-based logging Knowledge of available databases and tools necessary to assess appropriate collection tasking 73 NIST SP 800-181 DRAFT ID K0365 K0366 K0367 K0368 K0369 K0370 K0371 K0372 K0373 K0374 K0375 K0376 K0377 K0378 K0379 K0380 K0381 K0382 K0383 K0384 K0385 K0386 K0387 K0388 K0389 K0390 K0391 K0392 K0393 K0394 K0395 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of basic back-up and recovery procedures including different types of backups e g full incremental Knowledge of basic computer components and architectures including the functions of various peripherals Knowledge of basic cyber operations activity concepts e g foot printing scanning and enumeration penetration testing white black listing Knowledge of basic implants Knowledge of basic malicious activity concepts e g foot printing scanning and enumeration Knowledge of basic physical computer components and architecture including the functions of various components and peripherals e g CPUs Network Interface Cards data storage Knowledge of basic principles of the collection development processes e g Dialed Number Recognition Social Network Analysis Knowledge of basic programming concepts e g levels structures compiled vs interpreted languages Knowledge of basic software applications e g data storage and backup database applications and their vulnerabilities Knowledge of basic structure architecture and design of modern digital and telephony networks Knowledge of basic wireless applications including vulnerabilities in various types of wireless applications Knowledge of both internal and external customers and partner organizations including information needs objectives structure capabilities etc Knowledge of classification and control markings standards policies and procedures Knowledge of classification and control markings standards Knowledge of client organizations including information needs objectives structure capabilities etc Knowledge of collaborative tools and environments Knowledge of collateral damage and estimating impact s Knowledge of collection capabilities and limitations Knowledge of collection capabilities accesses performance specifications and constraints utilized to satisfy collection plan Knowledge of collection management functionality e g positions functions responsibilities products reporting requirements Withdrawn – Integrated into K0142 Knowledge of collection management tools Knowledge of collection planning process and collection plan Knowledge of collection searching analyzing techniques and tools for chat buddy list emerging technologies VOIP Media Over IP VPN VSAT wireless web mail and cookies Knowledge of collection sources including conventional and non-conventional sources Knowledge of collection strategies Knowledge of collection systems capabilities and processes Knowledge of common computer network infections virus Trojan etc and methods of infection ports attachments etc Knowledge of common networking devices and their configurations Knowledge of common reporting databases and tools Knowledge of computer networking fundamentals i e basic computer components of a network types of networks etc 74 NIST SP 800-181 DRAFT ID K0396 K0397 K0398 K0399 K0400 K0401 K0402 K0403 K0404 K0405 K0406 K0407 K0408 K0409 K0410 K0411 K0412 K0413 K0414 K0415 K0416 K0417 K0418 K0419 K0420 K0421 K0422 K0423 K0424 K0425 K0426 K0427 K0428 K0429 K0430 K0431 K0432 K0433 K0434 K0435 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of computer programming concepts including computer languages programming testing debugging and file types Knowledge of concepts for operating systems e g Linux Unix Knowledge of concepts related to websites e g web servers pages hosting DNS registration web languages such as HTML Knowledge of crisis action planning and time sensitive planning procedures Knowledge of crisis action planning for cyber operations Knowledge of criteria for evaluating collection products Knowledge of criticality and vulnerability factors e g value recuperation cushion countermeasures for target selection and applicability to the cyber domain Knowledge of cryptologic capabilities limitations and contributions to cyber operations Knowledge of current collection requirements Knowledge of current computer-based intrusion sets Knowledge of current software and methodologies for active defense and system hardening Knowledge of customer information needs Knowledge of cyber actions i e cyber defense information gathering environment preparation cyber attack principles capabilities limitations and effects Knowledge of cyber intelligence information collection capabilities and repositories Knowledge of cyber laws and their effect on Cyber planning Knowledge of cyber laws legal considerations and their effect on cyber planning Knowledge of cyber lexicon terminology Knowledge of cyber operation objectives policies and legalities Knowledge of cyber operations support or enabling processes Knowledge of cyber operations terminology lexicon Knowledge of cyber operations Knowledge of data communications terminology e g networking protocols Ethernet IP encryption optical devices removable media Knowledge of data flow process for terminal or environment collection Knowledge of database administration and maintenance Knowledge of database theory Knowledge of databases portals and associated dissemination vehicles Knowledge of deconfliction processes and procedures Knowledge of deconfliction reporting to include external organization interaction Knowledge of denial and deception techniques Knowledge of different organization objectives at all levels including subordinate lateral and higher Knowledge of dynamic and deliberate targeting Knowledge of encryption algorithms and cyber capabilities tools e g SSL PGP Knowledge of encryption algorithms and tools for WLANs Knowledge of enterprise-wide information management Knowledge of evasion strategies and techniques Knowledge of evolving emerging communications technologies Knowledge of existing emerging and long-range issues related to cyber operations strategy policy and organization Knowledge of forensic implications of operating system structure and operations Knowledge of front-end collection systems including traffic collection filtering and selection Knowledge of fundamental cyber concepts principles limitations and effects 75 NIST SP 800-181 DRAFT ID K0436 K0437 K0438 K0439 K0440 K0441 K0442 K0443 K0444 K0445 K0446 K0447 K0448 K0449 K0450 K0451 K0452 K0453 K0454 K0455 K0456 K0457 K0458 K0459 K0460 K0461 K0462 K0463 K0464 K0465 K0466 K0467 K0468 K0469 K0470 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of fundamental cyber operations concepts terminology lexicon i e environment preparation cyber attack cyber defense principles capabilities limitations and effects Knowledge of general SCADA system components Knowledge of Global Systems for Mobile Communications GSM architecture Knowledge of governing authorities for targeting Knowledge of host-based security products and how they affect exploitation and vulnerability Knowledge of how collection requirements and information needs are translated tracked and prioritized across the extended enterprise Knowledge of how converged technologies impact cyber operations e g digital telephony wireless Knowledge of how hubs switches routers work together in the design of a network Knowledge of how internet applications work SMTP email web-based email chat clients VOIP Knowledge of how modern digital and telephony networks impact cyber operations Knowledge of how modern wireless communications systems impact cyber operations Knowledge of how to collect view and identify essential information on targets of interest from metadata e g email http Knowledge of how to establish priorities for resources Knowledge of how to extract analyze and use metadata Withdrawn – Integrated into K0036 Knowledge of identification and reporting processes Knowledge of implementing Unix and Windows systems that provide radius authentication and logging DNS mail web service FTP server DHCP firewall and SNMP Knowledge of indications and warning Knowledge of information needs Knowledge of information security concepts facilitating technologies and methods Knowledge of intelligence capabilities and limitations Knowledge of intelligence confidence levels Knowledge of intelligence disciplines Knowledge of intelligence employment requirements i e logistical communications support maneuverability legal restrictions etc Knowledge of intelligence preparation of the environment and similar processes Knowledge of intelligence production processes Knowledge of intelligence reporting principles policies procedures and vehicles including report formats reportability criteria requirements and priorities dissemination practices and legal authorities and restrictions Knowledge of intelligence requirements tasking systems Knowledge of intelligence support to planning execution and assessment Knowledge of internal and external partner cyber operations capabilities and tools Knowledge of internal and external partner intelligence processes and the development of information requirements and essential information Knowledge of internal and external partner organization capabilities and limitations those with tasking collection processing exploitation and dissemination responsibilities Knowledge of internal and external partner reporting Knowledge of internal tactics to anticipate and or emulate threat capabilities and actions Knowledge of Internet and routing protocols 76 NIST SP 800-181 DRAFT ID K0471 K0472 K0473 K0474 K0475 K0476 K0477 K0478 K0479 K0480 K0481 K0482 K0483 K0484 K0485 K0486 K0487 K0488 K0489 K0490 K0491 K0492 K0493 K0494 K0495 K0496 K0497 K0498 K0499 K0500 K0501 K0502 K0503 K0504 K0505 K0506 K0507 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of internet network addressing IP addresses classless inter-domain routing TCP UDP port numbering Knowledge of intrusion detection systems and signature development Knowledge of intrusion sets Knowledge of key cyber threat actors and their equities Knowledge of key factors of the operational environment and threat Knowledge of language processing tools and techniques Knowledge of leadership's Intent and objectives Knowledge of legal considerations in targeting Knowledge of malware analysis and characteristics Knowledge of malware Knowledge of methods and techniques used to detect various exploitation activities Knowledge of methods for ascertaining collection asset posture and availability Knowledge of methods to integrate and summarize information from any potential sources Knowledge of midpoint collection process objectives organization targets etc Knowledge of network administration Knowledge of network construction and topology Knowledge of network security e g encryption firewalls authentication honey pots perimeter protection Knowledge of network security implementations e g host-based IDS IPS access control lists including their function and placement in a network Knowledge of network topology Withdrawn – Integrated into K0058 Knowledge of networking and internet communications fundamentals i e devices device configuration hardware software applications ports protocols addressing network architecture and infrastructure routing operating systems etc Knowledge of non-traditional collection methodologies Knowledge of obfuscation techniques e g TOR Onion anonymizers VPN VPS encryption Knowledge of objectives situation operational environment and the status and disposition of internal and external partner collection capabilities available to support planning Knowledge of ongoing and future operations Knowledge of operational asset constraints Knowledge of operational effectiveness assessment Knowledge of operational planning processes Knowledge of operations security Knowledge of organization and or partner collection systems capabilities and processes e g collection and protocol processors Knowledge of organization cyber operations programs strategies and resources Knowledge of organization decision support tools and or methods Knowledge of organization formats of resource and asset readiness reporting its operational relevance and intelligence collection impact Knowledge of organization issues objectives and operations in cyber as well as regulations and policy directives governing cyber operations Knowledge of organization objectives and associated demand on collection management Knowledge of organization objectives leadership priorities and decision-making risks Knowledge of organization or partner exploitation of digital networks 77 NIST SP 800-181 DRAFT ID K0508 K0509 K0510 K0511 K0512 K0513 K0514 K0515 K0516 K0517 K0518 K0519 K0520 K0521 K0522 K0523 K0524 K0525 K0526 K0527 K0528 K0529 K0530 K0531 K0532 K0533 K0534 K0535 K0536 K0537 K0538 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of organization policies and planning concepts for partnering with internal and or external organizations Knowledge of organizational and partner authorities responsibilities and contributions to achieving objectives Knowledge of organizational and partner policies tools capabilities and procedures Knowledge of organizational hierarchy and cyber decision making processes Knowledge of organizational planning concepts Knowledge of organizational priorities legal authorities and requirements submission processes Knowledge of organizational structures and associated intelligence capabilities Knowledge of OSI model and underlying networking protocols e g TCP IP Knowledge of physical and logical network devices and infrastructure to include hubs switches routers firewalls etc Knowledge of PIR approval process Knowledge of planning activity initiation Knowledge of planning timelines adaptive crisis action and time-sensitive planning Knowledge of principles and practices related to target development such as target knowledge associations communication systems and infrastructure Knowledge of priority information how it is derived where it is published how to access etc Knowledge of production exploitation and dissemination needs and architectures Knowledge of products and nomenclature of major vendors e g security suites - Trend Micro Symantec McAfee Outpost Panda Kaspersky and how differences affect exploitation vulnerabilities Knowledge of relevant laws regulations policies Knowledge of required intelligence planning products associated with cyber operational planning Knowledge of research strategies and knowledge management Knowledge of risk management and mitigation strategies Knowledge of satellite-based communication systems Knowledge of scripting Knowledge of security hardware and software options including the network artifacts they induce and their effects on exploitation Knowledge of security implications of software configurations Knowledge of specialized target language e g acronyms jargon technical terminology codewords Knowledge of specific target identifiers and their usage Knowledge of staff management assignment and allocation processes Knowledge of strategies and tools for target research Knowledge of structure approach and strategy of exploitation tools e g sniffers keyloggers and techniques e g gaining backdoor access collecting exfiltrating data conducting vulnerability analysis of other systems in the network Knowledge of system administration concepts for the Unix Linux and Windows operating systems e g process management directory structure installed applications Access Controls Knowledge of target and threat organization structures critical capabilities and critical vulnerabilities 78 NIST SP 800-181 DRAFT ID K0539 K0540 K0541 K0542 K0543 K0544 K0545 K0546 K0547 K0548 K0549 K0550 K0551 K0552 K0553 K0554 K0555 K0556 K0557 K0558 K0559 K0560 K0561 K0562 K0563 K0564 K0565 K0566 K0567 K0568 K0569 K0570 K0571 K0572 K0573 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of target communication profiles and their key elements e g target associations activities communication infrastructure Knowledge of target communication tools and techniques Knowledge of target cultural references dialects expressions idioms and abbreviations Knowledge of target development i e concepts roles responsibilities products etc Knowledge of target estimated repair and recuperation times Knowledge of target intelligence gathering and operational preparation techniques and life cycles Knowledge of target language s Knowledge of target list development i e RTL JTL CTL etc Knowledge of target methods and procedures Knowledge of target or threat cyber actors and procedures Knowledge of target vetting and validation procedures Knowledge of target including related current events communication profile actors and history language culture and or frame of reference Knowledge of targeting cycles Knowledge of tasking mechanisms Knowledge of tasking processes for organic and subordinate collection assets Knowledge of tasking collection processing exploitation and dissemination Knowledge of TCP IP networking protocols Knowledge of telecommunications fundamentals Knowledge of terminal or environmental collection process objectives organization targets etc Knowledge of the available tools and applications associated with collection requirements and collection management Knowledge of the basic structure architecture and design of converged applications Knowledge of the basic structure architecture and design of modern communication networks Knowledge of the basics of network security e g encryption firewalls authentication honey pots perimeter protection Knowledge of the capabilities and limitations of new and emerging collection capabilities accesses and or processes Knowledge of the capabilities limitations and tasking methodologies of internal and external collections as they apply to planned cyber activities Knowledge of the characteristics of targeted communication networks e g capacity functionality paths critical nodes Knowledge of the common networking and routing protocols e g TCP IP services e g web mail DNS and how they interact to provide network communications Knowledge of the critical information requirements and how they're used in planning Knowledge of the data flow from collection origin to repositories and tools Knowledge of the definition of collection management and collection management authority Knowledge of the existent tasking collection processing exploitation and dissemination architecture Knowledge of the factors of threat that could impact collection operations Knowledge of the feedback cycle in collection processes Knowledge of the functions and capabilities of internal teams that emulate threat activities to benefit the organization Knowledge of the fundamentals of digital forensics in order to extract actionable intelligence 79 NIST SP 800-181 DRAFT ID K0574 K0575 K0576 K0577 K0578 K0579 K0580 K0581 K0582 K0583 K0584 K0585 K0586 K0587 K0588 K0589 K0590 K0591 K0592 K0593 K0594 K0595 K0596 K0597 K0598 K0599 K0600 K0601 K0602 K0603 K0604 K0605 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of the impact of language analysis on on-net operator functions Knowledge of the impacts of internal and external partner staffing estimates Knowledge of the information environment Knowledge of the intelligence frameworks processes and related systems Knowledge of the intelligence requirements development and request for information processes Knowledge of the organization roles and responsibilities of higher lower and adjacent subelements Knowledge of the organization’s established format for collection plan Knowledge of the organization’s planning operations and targeting cycles Knowledge of the organizational planning and staffing process Knowledge of the organizational plans directives guidance that describe objectives Knowledge of the organizational policies procedures for temporary transfer of collection authority Knowledge of the organizational structure as it pertains to full spectrum cyber operations including the functions responsibilities and interrelationships among distinct internal elements Knowledge of the outputs of course of action and exercise analysis Knowledge of the POC’s databases tools and applications necessary to establish environment preparation and surveillance products Knowledge of the priority information requirements from subordinate lateral and higher levels of the organization Knowledge of the process used to assess the performance and impact of operations Knowledge of the processes to synchronize operational assessment procedures with the critical information requirement process Knowledge of the production responsibilities and organic analysis and production capabilities Knowledge of the purpose and contribution of target templates Knowledge of the range of cyber operations and their underlying intelligence support needs topics and focus areas Knowledge of the relationships between end states objectives effects lines of operation etc Knowledge of the relationships of operational objectives intelligence requirements and intelligence production tasks Knowledge of the request for information process Knowledge of the role of network operations in supporting and facilitating other organization operations Knowledge of the structure and intent of organization specific plans guidance and authorizations Knowledge of the structure architecture and design of modern digital and telephony networks Knowledge of the structure architecture and design of modern wireless communications systems Knowledge of the systems architecture communications used for coordination Knowledge of the various collection disciplines and capabilities Knowledge of the ways in which targets or threats use the Internet Knowledge of threat and or target systems Knowledge of tipping cueing mixing and redundancy 80 NIST SP 800-181 DRAFT ID K0606 K0607 K0608 K0609 K0610 K0611 K0612 K0613 K0614 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Knowledge of transcript development processes and techniques e g verbatim gists summaries Knowledge of translation processes and techniques Knowledge of Unix Linux and Windows operating systems structures and internals e g process management directory structure installed applications Knowledge of virtual machine technologies Knowledge of virtualization products VMware Virtual PC Withdrawn – Integrated into K0131 Knowledge of what constitutes a “threat” to a network Knowledge of who the organization’s operational planners are how and where they can be contacted and what are their expectations Knowledge of wireless technologies e g cellular satellite GSM to include the basic structure architecture and design of modern wireless communications systems 844 81 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 845 A 6 846 847 848 849 850 851 Table 7 provides a listing of specific skills that might be demonstrated by a person in a given cybersecurity position Selected skills descriptions from this list are included in the Detailed Work Role Listing in Appendix B Because the list of skills has evolved over many years and is expected to continue to do so it is not sorted in a particular order and will simply continue to grow sequentially NCWF Skills Descriptions Table 7 - NCWF Skills Descriptions ID S0001 S0002 S0003 S0004 S0005 S0006 S0007 S0008 S0009 S0010 S0011 S0012 S0013 S0014 S0015 S0016 S0017 S0018 S0019 S0020 S0021 S0022 S0023 S0024 S0025 S0026 S0027 S0028 S0029 S0030 S0031 S0032 S0033 Description Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems Skill in allocating storage capacity in the design of data management systems Skill of identifying capturing containing and reporting malware Skill in analyzing network traffic capacity and performance characteristics Skill in applying and incorporating information technologies into proposed solutions Skill in applying confidentiality integrity and availability principles Skill in applying host network access controls e g access control list Skill in applying organization-specific systems analysis principles and techniques Skill in assessing the robustness of security systems and designs Skill in conducting capabilities and requirements analysis Skill in conducting information searches Skill in conducting knowledge mapping e g map of knowledge repositories Skill in conducting queries and developing algorithms to analyze data structures Skill in conducting software debugging Skill in conducting test events Skill in configuring and optimizing software Skill in creating and utilizing mathematical or statistical models Skill in creating policies that reflect system security objectives Skill in creating programs that validate and process multiple inputs including command line arguments environmental variables and input streams Skill in developing and deploying signatures Skill in designing a data analysis structure i e the types of data your test must generate and how to analyze those data Skill in designing countermeasures to identified security risks Skill in designing security controls based on cybersecurity principles and tenets Skill in designing the integration of hardware and software solutions Skill in detecting host and network based intrusions via intrusion detection technologies e g Snort Skill in determining an appropriate level of test rigor for a given system Skill in determining how a security system should work including its resilience and dependability capabilities and how changes in conditions operations or the environment will affect these outcomes Skill in developing data dictionaries Skill in developing data models Skill in developing operations-based testing scenarios Skill in developing and applying security system access controls Skill in developing testing and implementing network infrastructure contingency and recovery plans Skill in diagnosing connectivity problems 82 NIST SP 800-181 DRAFT ID S0034 S0035 S0036 S0037 S0038 S0039 S0040 S0041 S0042 S0043 S0044 S0045 S0046 S0047 S0048 S0049 S0050 S0051 S0052 S0053 S0054 S0055 S0056 S0057 S0058 S0059 S0060 S0061 S0062 S0063 S0064 S0065 S0066 S0067 S0068 S0069 S0070 S0071 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Skill in discerning the protection needs i e security controls of information systems and networks Skill in establishing a routing schema Skill in evaluating the adequacy of security designs Skill in generating queries and reports Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance relative to the goals of the system Skill in identifying possible causes of degradation of system performance or availability and initiating actions needed to mitigate this degradation Skill in implementing maintaining and improving established network security practices Skill in installing configuring and troubleshooting LAN and WAN components such as routers hubs and switches Skill in maintaining databases Skill in maintaining directory services Skill in mimicking threat behaviors Skill in optimizing database performance Skill in performing packet-level analysis using appropriate tools e g Wireshark tcpdump Skill in preserving evidence integrity according to standard operating procedures or national standards Skill in systems integration testing Skill in the measuring and reporting of intellectual capital Skill in design modeling and building use cases e g unified modeling language Skill in the use of penetration testing tools and techniques Skill in the use of social engineering techniques Skill in tuning sensors Skill in using incident handling methodologies Skill in using knowledge management technologies Skill in using network management tools to analyze network traffic patterns e g simple network management protocol Skill in using protocol analyzers Skill in using the appropriate tools for repairing software hardware and peripheral equipment of a system Skill in using Virtual Private Network VPN devices and encryption Skill in writing code in a currently supported programming language e g Java C Skill in writing test plans Skill in analyzing memory dumps to extract information Skill in collecting data from a variety of cyber defense resources Skill in developing and executing technical training programs and curricula Skill in identifying and extracting data of forensic interest in diverse media i e media forensics Skill in identifying gaps in technical capabilities Skill in identifying modifying and manipulating applicable system components within Windows Unix or Linux e g passwords user accounts files Skill in collecting processing packaging transporting and storing electronic evidence to avoid alteration loss physical damage or destruction of data Skill in setting up a forensic workstation Skill in talking to others to convey information effectively Skill in using forensic tool suites e g EnCase Sleuthkit FTK 83 NIST SP 800-181 DRAFT ID S0072 S0073 S0074 S0075 S0076 S0077 S0078 S0079 S0080 S0081 S0082 S0083 S0084 S0085 S0086 S0087 S0088 S0089 S0090 S0091 S0092 S0093 S0094 S0095 S0096 S0097 S0098 S0099 S0100 S0101 S0102 S0103 S0104 S0105 S0106 S0107 S0108 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Skill in using scientific rules and methods to solve problems Skill in using virtual machines Skill in physically disassembling PCs Skill in conducting forensic analyses in multiple operating system environments e g mobile device systems Skill in configuring and utilizing software-based computer protection tools e g software firewalls anti-virus software anti-spyware Skill in securing network communications Skill in recognizing and categorizing types of vulnerabilities and associated attacks Skill in protecting a network against malware Skill in performing damage assessments Skill in using network analysis tools to identify vulnerabilities Skill in evaluating test plans for applicability and completeness Skill in integrating black box security testing tools into quality assurance process of software releases Skill in configuring and utilizing network protection components e g Firewalls VPNs network intrusion detection systems Skill in conducting audits or reviews of technical systems Skill in evaluating the trustworthiness of the supplier and or product Skill in deep analysis of captured malicious code e g malware forensics Skill in using binary analysis tools e g Hexedit command code xxd hexdump Skill in one-way hash functions e g Secure Hash Algorithm SHA Message Digest Algorithm MD5 Skill in analyzing anomalous code as malicious or benign Skill in analyzing volatile data Skill in identifying obfuscation techniques Skill in interpreting results of debugger to ascertain tactics techniques and procedures Skill in reading Hexadecimal data Skill in identifying common encoding techniques e g Exclusive Disjunction XOR American Standard Code for Information Interchange ASCII Unicode Base64 Uuencode Uniform Resource Locator URL encode Skill in reading and interpreting signatures e g snort Skill in applying security controls Skill in detecting host and network based intrusions via intrusion detection technologies Skill in determining how a security system should work and how changes in conditions operations or the environment will affect these outcomes Skill in utilizing or developing learning activities e g scenarios instructional games interactive exercises Skill in utilizing technologies e g SmartBoards websites computers projectors for instructional purposes Skill in applying technical delivery capabilities Skill in assessing the predictive power and subsequent generalizability of a model Skill in conducting Test Readiness Reviews Skill in data mining techniques Skill in data pre-processing e g imputation dimensionality reduction normalization transformation extraction filtering smoothing Skill in designing and documenting overall program Test Evaluation strategies Skill in developing workforce and position qualification standards 84 NIST SP 800-181 DRAFT ID S0109 S0110 S0111 S0112 S0113 S0114 S0115 S0116 S0117 S0118 S0119 S0120 S0121 S0122 S0123 S0124 S0125 S0126 S0127 S0128 S0129 S0130 S0131 S0132 S0133 S0134 S0135 S0136 S0137 S0138 S0139 S0140 S0141 S0142 S0143 S0144 S0145 S0146 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Skill in identifying hidden patterns or relationships Skill in identifying Test Evaluation infrastructure people ranges tools instrumentation requirements Skill in interfacing with customers Skill in managing test assets test resources and test personnel to ensure effective completion of test events Skill in performing format conversions to create a standard representation of the data Skill in performing sensitivity analysis Skill in preparing Test Evaluation reports Skill in designing multi-level security cross domain solutions Skill in providing Test Evaluation resource estimate Skill in developing machine understandable semantic ontologies Skill in Regression Analysis e g Hierarchical Stepwise Generalized Linear Model Ordinary Least Squares Tree-Based Methods Logistic Skill in reviewing logs to identify evidence of past intrusions Skill in system network and OS hardening techniques Skill in the use of design methods Skill in transformation analytics e g aggregation enrichment processing Skill in troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution Skill in using basic descriptive statistics and techniques e g normality model distribution scatter plots Skill in using data analysis tools e g Excel STATA SAS SPSS Skill in using data mapping tools Skill in using manpower and personnel IT systems Skill in using outlier identification and removal techniques Skill in writing scripts using R Python PIG HIVE SQL etc Skill in analyzing malware Skill in conducting bit-level analysis Skill in processing digital evidence to include protecting and making legally sound copies of evidence Skill in conducting reviews of systems Skill in secure test plan design e g unit integration system acceptance Skill in network systems management principles models methods e g end-to-end systems performance monitoring and tools Skill in conducting application vulnerability assessments Skill in using Public-Key Infrastructure PKI encryption and digital signature capabilities into applications e g S MIME email SSL traffic Skill in applying security models e g Bell-LaPadula model Biba integrity model ClarkWilson integrity model Skill in applying the systems engineering process Skill in assessing security systems designs Skill in conducting research for troubleshooting novel client-level problems Skill in conducting system server planning management and maintenance Skill in correcting physical and technical problems that impact system server performance Skill in integrating and applying policies that meet system security objectives Skill in creating policies that enable systems to meet performance objectives e g traffic routing SLA's CPU specifications 85 NIST SP 800-181 DRAFT ID S0147 S0148 S0149 S0150 S0151 S0152 S0153 S0154 S0155 S0156 S0157 S0158 S0159 S0160 S0161 S0162 S0163 S0164 S0165 S0166 S0167 S0168 S0169 S0170 S0171 S0172 S0173 S0174 S0175 S0176 S0177 S0178 S0179 S0180 S0181 S0182 S0183 S0184 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Skill in assessing security controls based on cybersecurity principles and tenets Skill in designing the integration of technology processes and solutions including legacy systems and modern programming languages Skill in developing applications that can log and handle errors exceptions and application faults and logging Skill in implementing and testing network infrastructure contingency and recovery plans Skill in troubleshooting failed system components i e servers Skill in translating operational requirements into protection needs i e security controls Skill in identifying and anticipating system server performance availability capacity or configuration problems Skill in installing system and component upgrades Skill in monitoring and optimizing system server performance Skill in performing packet-level analysis e g Wireshark tcpdump etc Skill in recovering failed systems servers Skill in operating system administration Skill in configuring and validating network workstations and peripherals in accordance with approved standards and or specifications Skill in the use of design modeling e g unified modeling language Withdrawn – Integrated into S0160 Skill in sub-netting Withdrawn – Integrated into S0060 Skill in assessing the application of cryptographic standards Skill in collecting packaging transporting and storing electronic evidence to avoid alteration loss physical damage or destruction of data Skill in identifying gaps in technical delivery capabilities Skill in recognizing vulnerabilities in security systems Skill in applying cybersecurity methods such as firewalls demilitarized zones and encryption Skill in conducting trend analysis Skill in configuring and utilizing computer protection components e g hardware firewalls servers routers as appropriate Skill in performing impact risk assessments Skill in applying secure coding techniques Skill in using security event correlation tools Skill in using code analysis tools Skill in performing root cause analysis Skill in administrative planning activities to include preparation of functional and specific support plans preparing and managing correspondence and staffing procedures Skill in analyzing a target's communication networks Skill in analyzing essential network data e g router configuration files routing protocols Skill in analyzing language processing tools to provide feedback to enhance tool development Withdrawn – Integrated into S0062 Skill in analyzing midpoint collection data Skill in analyzing target communications internals and externals collected from wireless LANs Skill in analyzing terminal or environment collection data Skill in analyzing traffic to identify network devices 86 NIST SP 800-181 DRAFT ID S0185 S0186 S0187 S0188 S0189 S0190 S0191 S0192 S0193 S0194 S0195 S0196 S0197 S0198 S0199 S0200 S0201 S0202 S0203 S0204 S0205 S0206 S0207 S0208 S0209 S0210 S0211 S0212 S0213 S0214 S0215 S0216 S0217 S0218 S0219 S0220 S0221 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Skill in applying analytical methods typically employed to support planning and to justify recommended strategies and courses of action Skill in applying crisis planning procedures Skill in applying various analytical methods tools and techniques e g competing hypotheses chain of reasoning scenario methods denial and deception detection high impact-low probability network association or link analysis Bayesian Delphi and Pattern analyses Skill in assessing a target's frame of reference e g motivation technical capability organizational structure sensitivities Skill in assessing and or estimating effects generated during and after cyber operations Skill in assessing current tools to identify needed improvements Skill in assessing the applicability of available analytical tools to various situations Skill in auditing firewalls perimeters routers and intrusion detection systems Skill in complying with the legal restrictions for targeted information Skill in conducting non-attributable research Skill in conducting research using all available sources Skill in conducting research using deep web Skill in conducting social network analysis buddy list analysis and or cookie analysis Skill in conducting social network analysis Skill in creating and extracting important information from packet captures Skill in creating collection requirements in support of data acquisition activities Skill in creating plans in support of remote operations Skill in data mining techniques e g searching file systems and analysis Skill in defining and characterizing all pertinent aspects of the operational environment Skill in depicting source or collateral data on a network map Skill in determining appropriate targeting options through the evaluation of available capabilities against desired effects Skill in determining installed patches on various operating systems and identifying patch signatures Skill in determining the effect of various router and firewall configurations on traffic patterns and network performance in both LAN and WAN environments Skill in determining the physical location of network devices Skill in developing and executing comprehensive cyber operations assessment programs for assessing and validating operational performance characteristics Skill in developing intelligence reports Skill in developing or recommending analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists Skill in disseminating items of highest intelligence value in a timely manner Skill in documenting and communicating complex technical and programmatic information Skill in evaluating accesses for intelligence value Skill in evaluating and interpreting metadata Skill in evaluating available capabilities against desired effects in order to provide effective courses of action Skill in evaluating data sources for relevance reliability and objectivity Skill in evaluating information for reliability validity and relevance Skill in evaluating information to recognize relevance priority etc Skill in exploiting querying organizational and or partner collection databases Skill in extracting information from packet captures 87 NIST SP 800-181 DRAFT ID S0222 S0223 S0224 S0225 S0226 S0227 S0228 S0229 S0230 S0231 S0232 S0233 S0234 S0235 S0236 S0237 S0238 S0239 S0240 S0241 S0242 S0243 S0244 S0245 S0246 S0247 S0248 S0249 S0250 S0251 S0252 S0253 S0254 S0255 S0256 S0257 S0258 S0259 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Skill in fusion analysis Skill in generating operation plans in support of mission and target requirements Skill in gisting target communications Skill in identifying a target’s communications networks Skill in identifying a target's network characteristics Skill in identifying alternative analytical interpretations in order to minimize unanticipated outcomes Skill in identifying critical target elements to include critical target elements for the cyber domain Skill in identifying cyber threats which may jeopardize organization and or partner interests Withdrawn – Integrated into S0066 Skill in identifying how a target communicates Skill in identifying intelligence gaps and limitations Skill in identifying language issues that may have an impact on organization objectives Skill in identifying leads for target development Skill in identifying non-target regional languages and dialects Skill in identifying the devices that work at each level of protocol models Skill in identifying locating and tracking targets via geospatial analysis techniques Skill in information prioritization as it relates to operations Skill in interpreting compiled and interpretive programming languages Skill in interpreting metadata and content as applied by collection systems Skill in interpreting traceroute results as they apply to network analysis and reconstruction Skill in interpreting vulnerability scanner results to identify vulnerabilities Skill in knowledge management including technical documentation techniques e g Wiki page Skill in managing client relationships including determining client needs requirements managing client expectations and demonstrating commitment to delivering quality results Skill in navigating network visualization software Skill in number normalization Skill in performing data fusion from existing intelligence for enabling new and continued collection Skill in performing target system analysis Skill in preparing and presenting briefings Skill in preparing plans and related correspondence Skill in prioritizing target language material Skill in processing collected data for follow-on analysis Skill in providing analysis on target-related matters e g language cultural communications Skill in providing analysis to aid writing phased after action reports Skill in providing real-time actionable geolocation information utilizing target infrastructures Skill in providing understanding of target or threat systems through the identification and link analysis of physical functional or behavioral relationships Skill in reading interpreting writing modifying and executing simple scripts e g PERL VBS on Windows and Unix systems e g those that perform tasks like parsing large data files automating manual tasks and fetching processing remote data Skill in recognizing and interpreting malicious network activity in traffic Skill in recognizing denial and deception techniques of the target 88 NIST SP 800-181 DRAFT ID S0260 S0261 S0262 S0263 S0264 S0265 S0266 S0267 S0268 S0269 S0270 S0271 S0272 S0273 S0274 S0275 S0276 S0277 S0278 S0279 S0280 S0281 S0282 S0283 S0284 S0285 S0286 S0287 S0288 S0289 S0290 S0291 S0292 S0293 S0294 S0295 S0296 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Skill in recognizing midpoint opportunities and essential information Skill in recognizing relevance of information Skill in recognizing significant changes in a target’s communication patterns Skill in recognizing technical information that may be used for leads for metadata analysis Skill in recognizing technical information that may be used for leads to enable remote operations data includes users passwords email addresses IP ranges of the target frequency in DNI behavior mail servers domain servers SMTP header information Skill in recognizing technical information that may be used for target development including intelligence development Skill in relevant programming languages e g C Python etc Skill in remote command line and Graphic User Interface GUI tool usage Skill in researching essential information Skill in researching vulnerabilities and exploits utilized in traffic Skill in reverse engineering e g hex editing binary packaging utilities debugging and strings analysis to identify function and ownership of remote tools Skill in reviewing and editing assessment products Skill in reviewing and editing intelligence products from various sources for cyber operations Skill in reviewing and editing plans Skill in reviewing and editing target materials Skill in server administration Skill in survey collection and analysis of wireless LAN metadata Skill in synthesizing analyzing and prioritizing meaning across data sets Skill in tailoring analysis to the necessary levels e g classification and organizational Skill in target development in direct support of collection operations Skill in target network anomaly identification e g intrusions dataflow or processing target implementation of new technologies Skill in technical writing Skill in testing and evaluating tools for implementation Skill in transcribing target language communications Skill in translating target graphic and or voice language materials Skill in using Boolean operators to construct simple and complex queries Skill in using databases to identify target-relevant information Skill in using geospatial data and applying geospatial resources Skill in using multiple analytic tools databases and techniques e g Analyst’s Notebook ASpace Anchory M3 divergent convergent thinking link charts matrices etc Skill in using multiple search engines e g Google Yahoo LexisNexis DataStar and tools in conducting open-source searches Skill in using non-attributable networks Skill in using research methods including multiple different sources to reconstruct a target network Skill in using targeting databases and software packages Skill in using tools techniques and procedures to remotely exploit and establish persistence on a target Skill in using trace route tools and interpreting the results as they apply to network analysis and reconstruction Skill in using various open source data collection tools online trade DNS mail etc Skill in utilizing feedback in order to improve processes products and services 89 NIST SP 800-181 DRAFT ID S0297 S0298 S0299 S0300 S0301 S0302 S0303 S0304 S0305 S0306 S0307 S0308 S0309 S0310 S0311 S0312 S0313 S0314 S0315 S0316 S0317 S0318 S0319 S0320 S0321 S0322 S0323 S0324 S0325 S0326 S0327 S0328 S0329 S0330 S0331 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Skill in utilizing virtual collaborative workspaces and or tools e g IWS VTCs chat rooms SharePoint Skill in verifying the integrity of all files Skill in wireless network target analysis templating and geolocation Skill in writing and submitting requirements to meet gaps in technical capabilities Skill in writing about facts and ideas in a clear convincing and organized manner Skill in writing effectiveness reports Skill in writing reviewing and editing cyber-related Intelligence assessment products from multiple sources Skill to access information on current assets available usage Skill to access the databases where plans directives guidance are maintained Skill to analyze strategic guidance for issues requiring clarification and or additional guidance Skill to analyze target or threat sources of strength and morale Skill to anticipate intelligence capability employment requirements Skill to anticipate key target or threat activities which are likely to prompt a leadership decision Skill to apply analytical standards to evaluate intelligence products Skill to apply the capabilities limitations and tasking methodologies of available platforms sensors architectures and apparatus as they apply to organization objectives Skill to apply the process used to assess the performance and impact of cyber operations Skill to articulate a needs statement requirement and integrate new and emerging collection capabilities accesses and or processes into collection operations Skill to articulate intelligence capabilities available to support execution of the plan Skill to articulate the needs of joint planners to all-source analysts Skill to associate Intelligence gaps to priority information requirements and observables Skill to compare and contrast indicators observables with requirements Skill to conceptualize the entirety of the intelligence process in the multiple domains and dimensions Skill to convert intelligence requirements into intelligence production tasks Skill to coordinate the development of tailored intelligence products Skill to correlate intelligence priorities to the allocation of intelligence resources assets Skill to craft indicators of operational progress success Skill to create and maintain up-to-date planning documents and tracking of services production Skill to determine feasibility of collection Skill to develop a collection plan that clearly shows the discipline that can be used to collect the information needed Skill to distinguish between notional and actual resources and their applicability to the plan under development Skill to ensure that the collection strategy leverages all available resources Skill to evaluate factors of the operational environment to objectives and information requirements Skill to evaluate requests for information to determine if response information exists Skill to evaluate the capabilities limitations and tasking methodologies of organic theater national coalition and other collection capabilities Skill to express orally and in writing the relationship between intelligence capability limitations and decision making risk and impacts on the overall operation 90 NIST SP 800-181 DRAFT ID S0332 S0333 S0334 S0335 S0336 S0337 S0338 S0339 S0340 S0341 S0342 S0343 S0344 S0345 S0346 S0347 S0348 S0349 S0350 S0351 S0352 S0353 S0354 S0355 S0356 S0357 S0358 S0359 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Skill to extract information from available tools and applications associated with collection requirements and collection operations management Skill to graphically depict decision support materials containing intelligence and partner capability estimates Skill to identify and apply tasking collection processing exploitation and dissemination to associated collection disciplines Skill to identify Intelligence gaps Skill to identify when priority information requirements are satisfied Skill to implement established procedures for evaluating collection management and operations activities Skill to interpret planning guidance to discern level of analytical support required Skill to interpret readiness reporting its operational relevance and intelligence collection impact Skill to monitor target or threat situation and environmental factors Skill to monitor threat effects to partner capabilities and maintain a running estimate Skill to optimize collection system performance through repeated adjustment testing and readjustment Skill to orchestrate intelligence planning teams coordinate collection and production support and monitor status Skill to prepare and deliver reports presentations and briefings to include using visual aids or presentation technology Skill to relate intelligence resources assets to anticipated intelligence requirements Skill to resolve conflicting collection requirements Skill to review performance specifications and historical information about collection assets Skill to specify collections and or taskings that must be conducted in the near term Skill to synchronize operational assessment procedures with the critical information requirement process Skill to synchronize planning activities and required intelligence support Skill to translate the capabilities limitations and tasking methodologies of organic theater national coalition and other collection capabilities Skill to use collaborative tools and environments Skill to use systems and or tools to track collection requirements and determine whether or not they are satisfied Skill in creating policies that reflect the business’s core privacy objectives Skill in negotiating vendor agreements and evaluating vendor privacy practices Skill in communicating with all levels of management including Board members e g interpersonal skills approachability effective listening skills appropriate use of style and language for the audience Skill to anticipate new security threats Skill to remain aware of evolving technical infrastructures Skill to use critical thinking to analyze organizational patterns and relationships 852 91 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 853 A 7 854 855 856 857 858 859 Table 8 provides a listing of specific abilities that might be demonstrated by a person in a given cybersecurity position Selected ability descriptions from this list are included in the Detailed Work Role Listing in Appendix B Because the list of abilities has evolved over many years and is expected to continue to do so it is not sorted in a particular order and will simply continue to grow sequentially NCWF Ability Descriptions Table 8 - NCWF Ability Descriptions ID A0001 A0002 A0003 A0004 A0005 A0006 A0007 A0008 A0009 A0010 A0011 A0012 A0013 A0014 A0015 A0016 A0017 A0018 A0019 A0020 A0021 A0022 A0023 A0024 A0025 A0026 A0027 A0028 A0029 A0030 Description Ability to identify systemic security issues based on the analysis of vulnerability and configuration data Ability to match the appropriate knowledge repository technology for a given application or environment Ability to determine the validity of technology trend data Ability to develop curriculum that speaks to the topic at the appropriate level for the target audience Ability to decrypt digital data collections Ability to prepare and deliver education and awareness briefings to ensure that systems network and data users are aware of and adhere to systems security policies and procedures Ability to tailor code analysis for application-specific concerns Ability to apply the methods standards and approaches for describing analyzing and documenting an organization's enterprise information technology IT architecture e g Open Group Architecture Framework TOGAF Department of Defense Architecture Framework DoDAF Federal Enterprise Architecture Framework FEAF Ability to apply supply chain risk management standards Ability to analyze malware Ability to answer questions in a clear and concise manner Ability to ask clarifying questions Ability to communicate complex information concepts or ideas in a confident and wellorganized manner through verbal written and or visual means Ability to communicate effectively when writing Ability to conduct vulnerability scans and recognize vulnerabilities in security systems Ability to facilitate small group discussions Ability to gauge learner understanding and knowledge level Ability to prepare and present briefings Ability to produce technical documentation Ability to provide effective feedback to students for improving learning Ability to use and understand complex mathematical concepts e g discrete math Ability to apply principles of adult learning Ability to design valid and reliable assessments Ability to develop clear directions and instructional materials Ability to accurately define incidents problems and events in the trouble ticketing system Ability to analyze test data Ability to apply an organization's goals and objectives to develop and maintain architecture Ability to assess and forecast manpower requirements to meet organizational objectives Ability to build complex data structures and high-level programming languages Ability to collect verify and validate test data 92 NIST SP 800-181 DRAFT ID A0031 A0032 A0033 A0034 A0035 A0036 A0037 A0038 A0039 A0040 A0041 A0042 A0043 A0044 A0045 A0046 A0047 A0048 A0049 A0050 A0051 A0052 A0053 A0054 A0055 A0056 A0057 A0058 A0059 A0060 A0061 A0062 A0063 A0064 A0065 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Ability to conduct and implement market research to understand government and industry capabilities and appropriate pricing Ability to develop curriculum for use within a virtual environment Ability to develop policy plans and strategy in compliance with laws regulations policies and standards in support of organizational cyber activities Ability to develop update and or maintain standard operating procedures SOPs Ability to dissect a problem and examine the interrelationships between data that may appear unrelated Ability to identify basic common coding flaws at a high level Ability to leverage best practices and lessons learned of external organizations and academic institutions dealing with cyber issues Ability to optimize systems to meet enterprise performance requirements Ability to oversee the development and update of the lifecycle cost estimate Ability to translate data and test results into evaluative conclusions Ability to use data visualization tools e g Flare HighCharts AmCharts D3 js Processing Google Visualization API Tableau Raphael js Ability to develop career path opportunities Ability to conduct forensic analyses in and for both Windows and Unix Linux environments Ability to apply programming language structures e g source code review and logic Ability to evaluate ensure the trustworthiness of the supplier and or product Ability to monitor and assess the potential impact of emerging technologies on laws regulations and or policies Ability to develop secure software according to secure software deployment methodologies tools and practices Ability to apply network security architecture concepts including topology protocols components and principles e g application of defense-in-depth Ability to apply secure system design tools methods and techniques Ability to apply system design tools methods and techniques including automated systems analysis and design tools Ability to execute technology integration processes Ability to operate network equipment including hubs routers switches bridges servers transmission media and related hardware Ability to determine the validity of workforce trend data Ability to apply the Instructional System Design ISD methodology Ability to operate common network tools e g ping traceroute nslookup Ability to ensure security practices are followed throughout the acquisition process Ability to tailor curriculum that speaks to the topic at the appropriate level for the target audience Ability to execute OS command line e g ipconfig netstat dir nbtstat Ability to operate the organization's LAN WAN pathways Ability to build architectures and frameworks Ability to design architectures and frameworks Ability to monitor measures or indicators of system performance and availability Ability to operate different electronic communication systems and methods e g e-mail VOIP IM web forums Direct Video Broadcasts Ability to interpret and translate customer requirements into operational capabilities Ability to monitor traffic flows across the network 93 NIST SP 800-181 DRAFT ID A0066 A0067 A0068 A0069 A0070 A0071 A0072 A0073 A0074 A0075 A0076 A0077 A0078 A0079 A0080 A0081 A0082 A0083 A0084 A0085 A0086 A0087 A0088 A0089 A0090 A0091 A0092 A0093 A0094 A0095 A0096 A0097 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Ability to accurately and completely source all data used in intelligence assessment and or planning products Ability to adjust to and operate in a diverse unpredictable challenging and fast-paced work environment Ability to apply approved planning development and staffing processes Ability to apply collaborative skills and strategies Ability to apply critical reading thinking skills Ability to apply language and cultural expertise to analysis Ability to clearly articulate intelligence requirements into well-formulated research questions and data tracking variables for inquiry tracking purposes Ability to clearly articulate intelligence requirements into well-formulated research questions and requests for information Ability to collaborate effectively with others Ability to communicate complex information concepts or ideas in a confident and wellorganized manner through verbal written and or visual means Ability to coordinate and collaborate with analysts regarding surveillance requirements and essential information development Ability to coordinate cyber operations with other organization functions or support activities Ability to coordinate collaborate and disseminate information to subordinate lateral and higher-level organizations Ability to correctly employ each organization or element into the collection plan and matrix Ability to develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists Ability to develop or recommend planning solutions to problems and situations for which no precedent exists Ability to effectively collaborate via virtual teams Ability to evaluate information for reliability validity and relevance Ability to evaluate analyze and synthesize large quantities of data which may be fragmented and contradictory into high quality fused targeting intelligence products Ability to exercise judgment when policies are not well-defined Ability to expand network access by conducting target analysis and collection in order to identify targets of interest Ability to focus research efforts to meet the customer’s decision-making needs Ability to function effectively in a dynamic fast-paced environment Ability to function in a collaborative environment seeking continuous consultation with other analysts and experts—both internal and external to the organization—in order to leverage analytical and technical expertise Ability to identify external partners with common cyber operations interests Ability to identify intelligence gaps Ability to identify describe target vulnerability Ability to identify describe techniques methods for conducting technical exploitation of the target Ability to interpret and apply laws regulations policies and guidance relevant to organization cyber objectives Ability to interpret and translate customer requirements into operational action Ability to interpret and understand complex and rapidly evolving concepts Ability to monitor system operations and react to events in response to triggers and or observation of trends or unusual activity 94 NIST SP 800-181 DRAFT ID A0098 A0099 A0100 A0101 A0102 A0103 A0104 A0105 A0106 A0107 A0108 A0109 A0110 A0111 A0112 A0113 A0114 A0115 A0116 A0117 A0118 A0119 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Description Ability to participate as a member of planning teams coordination groups and task forces as necessary Ability to perform network collection tactics techniques and procedures to include decryption capabilities tools Ability to perform wireless collection procedures to include decryption capabilities tools Ability to recognize and mitigate cognitive biases which may affect analysis Ability to recognize and mitigate deception in reporting and analysis Ability to review processed target language materials for accuracy and completeness Ability to select the appropriate implant to achieve operational goals Ability to tailor technical and planning information to a customer’s level of understanding Ability to think critically Ability to think like threat actors Ability to understand objectives and effects Ability to utilize multiple intelligence sources across all intelligence disciplines Ability to monitor advancements in information privacy laws to ensure organizational adaptation and compliance Ability to work across departments and business units to implement organization’s privacy principles and programs and align privacy objectives with security objectives Ability to monitor advancements in information privacy technologies to ensure organizational adaptation and compliance Ability to determine whether a security incident violates a privacy principle or legal standard requiring specific legal action Ability to develop or procure curriculum that speaks to the topic at the appropriate level for the target Ability to work across departments and business units to implement organization’s privacy principles and programs and align privacy objectives with security objectives Ability to prioritize and allocate cybersecurity resources correctly and efficiently Ability to relate strategy business and technology in the context of organizational dynamics Ability to understand technology management and leadership issues related to organization processes and problem solving Ability to understand the basic concepts and issues related to cyber and its organizational impact 860 95 NIST SP 800-181 DRAFT 861 862 863 864 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Appendix B—Work Role Detail Listing The following section provides a detailed description of each NCWF Work Role For each of the current Work Roles as described in the NCWF the listing below provides the following information 865 866 • A unique NCWF Work Role ID based upon the NCWF Category and Specialty Area to which that Work Role belongs 867 • The Specialty Area supporting the Work Role 868 • The formal Work Role name followed by the OPM job code identifier in parentheses 869 • A description of the Work Role 870 871 • A list of the NCWF Tasks that a person in a cybersecurity position that includes the Work Role might be expected to perform 872 873 • A list of the NCWF Knowledge areas that a person in a cybersecurity position that includes the Work Role might be expected to exhibit 874 875 • A list of the NCWF Skills that a person in a cybersecurity position that includes the Work Role might be expected to possess and 876 877 • A list of the NCWF Abilities that a person in a cybersecurity position that includes the Work Role might be expected to demonstrate 878 879 The following tables describe the NCWF Work Roles As described in Section 4 this listing will be updated periodically based upon industry feedback and changes to the cybersecurity landscape Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities SP-RM-001 Securely Provision SP Risk Management RM Authorizing Official 611 Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations including mission functions image or reputation organizational assets individuals other organizations and the Nation CNSSI 4009 T0145 T0221 T0371 T0495 K0001 K0002 K0003 K0004 K0005 K0006 K0013 K0019 K0027 K0028 K0037 K0038 K0040 K0044 K0048 K0049 K0054 K0059 K0084 K0085 K0089 K0101 K0146 K0168 K0169 K0170 K0179 K0199 K0203 K0260 K0261 K0262 K0267 K0295 K0322 K0342 S0034 None specified 880 96 NIST SP 800-181 DRAFT Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF SP-RM-001 Securely Provision SP Risk Management RM Authorizing Official 611 Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations including mission functions image or reputation organizational assets individuals other organizations and the nation CNSSI 4009 T0145 T0221 T0371 T0495 K0001 K0002 K0003 K0004 K0005 K0006 K0013 K0019 K0027 K0028 K0037 K0038 K0040 K0044 K0048 K0049 K0054 K0059 K0084 K0085 K0089 K0101 K0146 K0168 K0169 K0170 K0179 K0199 K0203 K0260 K0261 K0262 K0267 K0295 K0322 K0342 S0034 None specified 881 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities SP-RM-002 Securely Provision SP Risk Management RM Security Control Assessor 612 Conducts independent comprehensive assessments of the management operational and technical security controls and control enhancements employed within or inherited by an information technology IT system to determine the overall effectiveness of the controls as defined in NIST 800-37 T0032 T0072 T0079 T0083 T0141 T0150 T0183 T0184 T0197 T0218 T0221 T0244 T0245 T0251 T0301 K0001 K0002 K0003 K0004 K0005 K0006 K0013 K0019 K0027 K0028 K0037 K0038 K0040 K0044 K0048 K0049 K0054 K0059 K0084 K0085 K0089 K0101 K0146 K0168 K0169 K0170 K0179 K0199 K0203 K0260 K0261 K0262 K0267 K0287 K0322 K0342 S0001 S0006 S0027 S0034 S0038 S0086 None specified 882 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills SP-DEV-001 Securely Provision SP Software Development DEV Software Developer 621 Develops creates maintains and writes codes new or modifies existing computer applications software or specialized utility programs T0009 T0011 T0013 T0014 T0022 T0026 T0034 T0040 T0046 T0057 T0077 T0100 T0111 T0117 T0118 T0171 T0176 T0181 T0189 T0217 T0228 T0236 T0267 T0303 T0311 T0324 T0337 T0416 T0417 T0436 T0455 T0500 T0553 T0554 K0001 K0002 K0003 K0004 K0005 K0006 K0014 K0016 K0027 K0028 K0039 K0044 K0051 K0060 K0066 K0068 K0073 K0079 K0080 K0081 K0082 K0084 K0085 K0086 K0105 K0139 K0140 K0152 K0153 K0154 K0170 K0179 K0199 K0202 K0219 K0260 K0261 K0262 K0263 K0322 K0331 K0342 K0343 S0001 S0014 S0017 S0019 S0022 S0031 S0034 S0060 S0135 S0138 S0149 S0174 S0175 97 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Abilities A0007 A0021 A0047 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks SP-DEV-002 Securely Provision SP Software Development DEV Secure Software Assessor 622 Analyzes the security of new or existing computer applications software or specialized utility programs and provides actionable results T0013 T0014 T0022 T0038 T0040 T0100 T0111 T0117 T0118 T0171 T0181 T0217 T0228 T0236 T0266 T0311 T0324 T0337 T0424 T0428 T0436 T0456 T0457 T0516 T0554 K0001 K0002 K0003 K0004 K0005 K0006 K0014 K0016 K0027 K0028 K0039 K0044 K0051 K0060 K0066 K0068 K0073 K0079 K0080 K0081 K0082 K0084 K0085 K0086 K0105 K0139 K0140 K0152 K0153 K0154 K0170 K0178 K0179 K0199 K0202 K0219 K0260 K0261 K0262 K0263 K0322 K0342 K0343 S0001 S0022 S0031 S0034 S0083 S0135 S0138 S0174 S0175 A0021 883 Knowledge Skills Abilities 884 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities SP-ARC-001 Securely Provision SP Systems Architecture ARC Enterprise Architect 651 Develops and maintains business systems and information processes to support enterprise mission needs develops information technology IT rules and requirements that describe baseline and target architectures T0051 T0084 T0090 T0108 T0196 T0205 T0307 T0314 T0328 T0338 T0427 T0440 T0448 T0473 T0517 T0521 T0542 T0555 T0557 K0001 K0002 K0003 K0004 K0005 K0006 K0024 K0027 K0028 K0030 K0035 K0037 K0043 K0044 K0052 K0056 K0060 K0061 K0063 K0074 K0075 K0082 K0091 K0093 K0102 K0170 K0179 K0180 K0198 K0200 K0203 K0207 K0211 K0212 K0214 K0227 K0240 K0264 K0275 K0286 K0287 K0291 K0293 K0299 K0322 K0323 K0325 K0326 K0332 K0333 S0005 S0024 S0050 S0060 S0099 S0122 A0008 A0015 A0027 A0038 A0051 A0060 885 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks SP-ARC-002 Securely Provision SP Systems Architecture ARC Security Architect 652 Designs enterprise and systems security throughout the development life cycle translates technology and environmental conditions e g law and regulation into security designs and processes T0050 T0051 T0071 T0082 T0084 T0090 T0108 T0177 T0196 T0203 T0205 T0268 T0307 T0314 T0328 T0338 T0427 T0448 T0473 T0484 T0542 T0556 98 NIST SP 800-181 DRAFT Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF K0001 K0002 K0003 K0004 K0005 K0006 K0015 K0018 K0019 K0024 K0027 K0030 K0035 K0036 K0037 K0043 K0044 K0052 K0055 K0056 K0060 K0061 K0063 K0074 K0082 K0091 K0092 K0093 K0102 K0170 K0180 K0198 K0200 K0207 K0211 K0212 K0214 K0227 K0240 K0260 K0261 K0262 K0264 K0275 K0286 K0287 K0291 K0293 K0320 K0322 K0323 K0325 K0332 K0333 K0336 S0005 S0024 S0027 S0050 S0060 S0099 S0116 S0122 S0139 S0152 S0168 A0008 A0015 A0027 A0038 A0048 A0049 A0050 A0061 886 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities SP-RD-001 Securely Provision SP Technology R D RD Research and Development Specialist 661 Conducts software and systems engineering and software systems research in order to develop new capabilities ensuring cybersecurity is fully integrated Conducts comprehensive technology research to evaluate potential vulnerabilities in cyberspace systems T0064 T0249 T0250 T0283 T0284 T0327 T0329 T0409 T0410 T0411 T0413 T0547 K0001 K0002 K0003 K0004 K0005 K0006 K0009 K0019 K0059 K0090 K0169 K0170 K0171 K0172 K0173 K0174 K0175 K0176 K0179 K0202 K0209 K0267 K0268 K0269 K0271 K0272 K0288 K0296 K0310 K0314 K0321 K0342 S0005 S0017 S0072 S0140 S0148 S0172 A0001 A0018 A0019 887 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities SP-RP-001 Securely Provision SP Systems Requirements Planning RP Systems Requirements Planner 641 Consults with customers to evaluate functional requirements and translate functional requirements into technical solutions T0033 T0039 T0045 T0052 T0062 T0127 T0156 T0174 T0191 T0235 T0273 T0300 T0313 T0325 T0334 T0454 T0463 T0497 K0001 K0002 K0003 K0004 K0005 K0006 K0008 K0012 K0018 K0019 K0032 K0035 K0038 K0043 K0044 K0045 K0047 K0055 K0056 K0059 K0060 K0061 K0063 K0066 K0067 K0073 K0074 K0086 K0087 K0090 K0091 K0093 K0101 K0102 K0163 K0164 K0168 K0169 K0170 K0180 K0200 K0267 K0287 K0325 K0332 K0333 S0005 S0006 S0008 S0010 S0050 S0134 A0064 888 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks SP-TE-001 Securely Provision SP Test and Evaluation TE System Test Evaluation Specialist 671 Plans prepares and executes tests of systems to evaluate results against specifications and requirements as well as analyze report test results T0058 T0080 T0143 T0257 T0274 T0393 T0426 T0511 T0512 T0513 T0539 T0540 99 NIST SP 800-181 DRAFT Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF K0001 K0002 K0003 K0004 K0005 K0006 K0027 K0028 K0037 K0044 K0057 K0088 K0102 K0139 K0169 K0170 K0179 K0199 K0203 K0212 K0250 K0260 K0261 K0262 K0287 K0332 S0015 S0021 S0026 S0030 S0048 S0060 S0061 S0082 S0104 S0107 S0110 S0112 S0115 S0117 A0026 A0030 A0040 889 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities SP-SYS-001 Securely Provision SP Systems Development SYS Information Systems Security Developer 631 Designs develops tests and evaluates information system security throughout the systems development life cycle T0012 T0015 T0018 T0019 T0021 T0032 T0053 T0055 T0056 T0061 T0069 T0070 T0076 T0078 T0105 T0107 T0109 T0119 T0122 T0124 T0181 T0201 T0205 T0228 T0231 T0242 T0269 T0270 T0271 T0272 T0304 T0326 T0359 T0446 T0449 T0466 T0509 T0518 T0527 T0541 T0544 K0001 K0002 K0003 K0004 K0005 K0006 K0015 K0018 K0024 K0027 K0028 K0030 K0032 K0035 K0036 K0044 K0045 K0049 K0050 K0052 K0055 K0056 K0060 K0061 K0063 K0065 K0066 K0067 K0073 K0081 K0082 K0084 K0086 K0087 K0090 K0091 K0093 K0102 K0139 K0169 K0170 K0179 K0180 K0200 K0203 K0260 K0261 K0262 K0276 K0287 K0297 K0308 K0322 K0325 K0331 K0333 K0336 S0001 S0022 S0023 S0024 S0031 S0034 S0036 S0085 S0145 S0160 None specified 890 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities SP-SYS-002 Securely Provision SP Systems Development SYS Systems Developer 632 Designs develops tests and evaluates information systems throughout the systems development life cycle T0012 T0021 T0053 T0056 T0061 T0067 T0070 T0107 T0109 T0119 T0181 T0201 T0205 T0228 T0242 T0304 T0326 T0350 T0358 T0359 T0378 T0406 T0447 T0449 T0464 T0466 T0480 T0488 T0518 T0528 T0538 T0541 T0544 T0558 T0559 T0560 K0001 K0002 K0003 K0004 K0005 K0006 K0015 K0018 K0024 K0027 K0028 K0030 K0032 K0035 K0036 K0044 K0045 K0049 K0050 K0052 K0055 K0056 K0060 K0061 K0063 K0065 K0066 K0067 K0073 K0081 K0082 K0084 K0086 K0087 K0090 K0091 K0093 K0102 K0139 K0169 K0170 K0179 K0180 K0200 K0203 K0207 K0212 K0227 K0260 K0261 K0262 K0276 K0287 K0297 K0308 K0322 K0325 K0332 K0333 K0336 S0018 S0022 S0023 S0024 S0031 S0034 S0036 S0060 S0085 S0097 S0098 S0136 S0145 S0146 S0160 None specified 891 100 NIST SP 800-181 DRAFT Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF OM-DA-001 Operate and Maintain OM Data Administration DA Database Administrator 421 Administers databases and or data management systems that allow for the storage query and utilization of data T0008 T0137 T0139 T0140 T0146 T0152 T0162 T0210 T0305 T0306 T0330 T0422 T0459 T0490 K0001 K0002 K0003 K0004 K0005 K0006 K0020 K0021 K0022 K0023 K0025 K0031 K0056 K0060 K0065 K0069 K0083 K0097 K0260 K0261 K0262 K0277 K0278 K0279 K0287 K0420 S0002 S0013 S0037 S0042 S0045 None specified 892 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities OM-DA-002 Operate and Maintain OM Data Administration DA Data Analyst 422 Examines data from multiple disparate sources with the goal of providing new insight Designs and implements custom algorithms flow processes and layouts for complex enterprise-scale data sets used for modeling data mining and research purposes T0007 T0008 T0068 T0146 T0195 T0210 T0342 T0347 T0349 T0351 T0353 T0361 T0366 T0381 T0382 T0383 T0385 T0392 T0402 T0403 T0404 T0405 T0460 K0001 K0002 K0003 K0004 K0005 K0006 K0015 K0016 K0020 K0022 K0023 K0025 K0031 K0051 K0056 K0060 K0065 K0068 K0069 K0083 K0095 K0129 K0139 K0140 K0193 K0197 K0229 K0236 K0238 K0325 K0328 K0420 S0013 S0017 S0028 S0029 S0037 S0060 S0088 S0089 S0094 S0095 S0103 S0105 S0106 S0109 S0113 S0114 S0118 S0119 S0123 S0125 S0126 S0127 S0129 S0130 S0160 A0029 A0035 A0036 A0041 A0066 893 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities OM-KM-001 Operate and Maintain OM Knowledge Management KM Knowledge Manager 431 Responsible for the management and administration of processes and tools that enable the organization to identify document and access intellectual capital and information content T0037 T0060 T0154 T0185 T0209 T0339 T0421 T0452 T0524 K0001 K0002 K0003 K0004 K0005 K0006 K0013 K0094 K0095 K0096 K0146 K0194 K0195 K0228 K0260 K0261 K0262 K0283 K0287 K0315 K0338 K0420 S0011 S0012 S0049 S0055 A0002 894 101 NIST SP 800-181 DRAFT Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF OM-TS-001 Operate and Maintain OM Customer Service and Technical Support TS Technical Support Specialist 411 Provides technical support to customers who need assistance utilizing client level hardware and software in accordance with established or approved organizational process components i e Master Incident Management Plan when applicable T0237 T0308 T0315 T0331 T0468 T0482 T0491 T0494 T0496 T0502 T0530 K0001 K0002 K0003 K0004 K0005 K0006 K0053 K0088 K0114 K0237 K0242 K0247 K0260 K0261 K0262 K0287 K0292 K0294 K0302 K0306 K0317 K0330 S0039 S0058 S0142 S0159 A0025 A0034 895 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities OM-NET-001 Operate and Maintain OM Network Services NET Network Operations Specialist 441 Plans implements and operates network services systems to include hardware and virtual environments T0035 T0065 T0081 T0121 T0125 T0126 T0129 T0153 T0160 T0200 T0232 K0001 K0002 K0003 K0004 K0005 K0006 K0010 K0011 K0029 K0038 K0049 K0050 K0053 K0061 K0071 K0076 K0093 K0104 K0108 K0113 K0135 K0136 K0137 K0138 K0159 K0160 K0179 K0180 K0181 K0200 K0201 K0203 K0260 K0261 K0262 K0287 K0307 K0332 S0004 S0035 S0040 S0041 S0056 S0077 S0079 S0084 S0150 S0162 S0170 A0052 A0055 A0058 A0059 A0062 A0063 A0065 896 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities OM-SA-001 Operate and Maintain OM Systems Administration SA System Administrator 451 Installs configures troubleshoots and maintains hardware software and administers system accounts T0029 T0054 T0063 T0136 T0144 T0186 T0207 T0418 T0431 T0435 T0458 T0461 T0498 T0501 T0507 T0514 T0515 T0531 K0001 K0002 K0003 K0004 K0005 K0006 K0049 K0053 K0064 K0077 K0088 K0100 K0103 K0104 K0117 K0130 K0158 K0167 K0179 K0181 K0260 K0261 K0262 K0280 K0289 K0318 K0327 K0331 K0346 S0016 S0033 S0043 S0073 S0076 S0111 S0143 S0144 S0151 S0153 S0154 S0155 S0157 S0158 None specified 897 102 NIST SP 800-181 DRAFT Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF OM-AN-001 Operate and Maintain OM Systems Analysis AN Systems Security Analyst 461 Responsible for the analysis and development of the integration testing operations and maintenance of systems security T0015 T0016 T0017 T0085 T0086 T0088 T0123 T0128 T0169 T0177 T0187 T0194 T0202 T0205 T0243 T0309 T0344 T0462 T0469 T0470 T0475 T0477 T0485 T0489 T0492 T0499 T0504 T0508 T0526 T0545 T0548 K0001 K0002 K0003 K0004 K0005 K0006 K0015 K0018 K0019 K0024 K0035 K0036 K0040 K0044 K0049 K0056 K0060 K0061 K0063 K0075 K0082 K0093 K0102 K0179 K0180 K0200 K0203 K0227 K0232 K0260 K0261 K0262 K0263 K0266 K0267 K0275 K0276 K0281 K0284 K0285 K0287 K0290 K0297 K0322 K0329 K0333 K0339 S0024 S0027 S0031 S0036 S0060 S0141 S0147 S0167 A0015 898 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities OV-LG-001 Oversee and Govern OV Legal Advice and Advocacy LG Cyber Legal Advisor 731 Provides legal advice and recommendations on relevant topics related to cyber law T0006 T0098 T0102 T0131 T0220 T0419 T0434 T0465 T0474 T0476 T0478 T0487 T0522 K0001 K0002 K0003 K0004 K0005 K0006 K0017 K0059 K0107 K0157 K0312 K0316 K0341 None specified A0046 899 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills OV-LG-002 Oversee and Govern OV Legal Advice and Advocacy LG Privacy Compliance Manager 732 Develops and oversees privacy compliance program and privacy program staff supporting privacy compliance needs of privacy and security executives and their teams T0003 T0004 T0032 T0066 T0098 T0099 T0131 T0133 T0188 T0381 T0384 T0478 T0861 T0862 T0863 T0864 T0865 T0866 T0867 T0868 T0869 T0870 T0871 T0872 T0873 T0874 T0875 T0876 T0877 T0878 T0879 T0880 T0881 T0882 T0883 T0884 T0885 T0886 T0887 T0888 T0889 T0890 T0891 T0892 T0893 T0894 T0895 T0896 T0897 T0898 T0899 T0900 T0901 T0902 T0903 T0904 T0905 T0906 T0907 T0908 T0909 T0910 T0911 T0912 T0913 T0914 T0915 T0916 T0917 T0918 T0919 K0001 K0002 K0003 K0004 K0005 K0006 K0008 K0066 K0168 K0606 K0607 K0608 K0609 K0610 K0611 K0612 K0613 K0614 S0354 S0355 S0356 103 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Abilities A0024 A0033 A0034 A0104 A0105 A0110 A0111 A0112 A0113 A0114 A0115 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks OV-ED-001 Oversee and Govern OV Training Education and Awareness ED Cyber Instructional Curriculum Developer 711 Develops plans coordinates and evaluates cyber training education courses methods and techniques based on instructional needs T0230 T0247 T0345 T0352 T0357 T0365 T0367 T0380 T0437 T0442 T0450 T0534 T0536 T0926 K0001 K0002 K0003 K0004 K0005 K0006 K0059 K0124 K0146 K0147 K0239 K0245 K0246 K0252 K0287 S0064 S0066 S0070 S0102 S0166 A0004 A0032 A0054 900 Knowledge Skills Abilities 901 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities OV-ED-002 Oversee and Govern OV Training Education and Awareness ED Cyber Instructor 712 Develops and conducts training or education of personnel within cyber domain T0030 T0073 T0101 T0224 T0230 T0247 T0316 T0317 T0318 T0319 T0320 T0321 T0322 T0323 T0443 T0444 T0450 T0467 T0519 T0520 T0535 T0536 T0926 K0001 K0002 K0003 K0004 K0005 K0006 K0059 K0115 K0124 K0130 K0146 K0147 K0204 K0208 K0213 K0215 K0216 K0217 K0218 K0220 K0226 K0287 K0319 S0064 S0070 S0100 S0101 A0006 A0011 A0012 A0013 A0014 A0016 A0017 A0020 A0022 A0023 A0024 A0057 902 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge OV-MG-001 Oversee and Govern OV Cybersecurity Management MG Information Systems Security Manager 722 Responsible for the cybersecurity of a program organization system or enclave T0001 T0002 T0003 T0004 T0005 T0024 T0025 T0044 T0089 T0091 T0092 T0093 T0095 T0097 T0099 T0106 T0115 T0130 T0132 T0133 T0134 T0135 T0147 T0148 T0149 T0151 T0157 T0158 T0159 T0192 T0199 T0206 T0211 T0213 T0215 T0219 T0227 T0229 T0234 T0239 T0248 T0254 T0255 T0256 T0263 T0264 T0265 T0275 T0276 T0277 T0280 T0281 T0282 K0001 K0002 K0003 K0004 K0005 K0006 K0008 K0018 K0021 K0026 K0033 K0038 K0040 K0042 K0043 K0046 K0048 K0053 K0054 K0058 K0059 K0061 K0070 K0072 K0076 K0077 K0087 K0090 K0092 K0101 K0106 K0121 K0126 K0149 K0150 K0151 K0163 K0167 K0168 K0169 K0170 K0179 K0180 K0199 K0260 K0261 K0262 K0267 K0287 K0332 K0342 104 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Skills Abilities S0018 S0027 S0086 None specified Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge OV-MG-002 Oversee and Govern OV Cybersecurity Management MG COMSEC Manager 723 Individual who manages the Communications Security COMSEC resources of an organization CNSSI 4009 T0003 T0004 T0025 T0044 T0089 T0095 T0099 T0215 T0229 K0001 K0002 K0003 K0004 K0005 K0006 K0018 K0026 K0038 K0042 K0090 K0101 K0121 K0126 K0163 K0267 K0287 S0027 None specified 903 Skills Abilities 904 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities OV-PL-001 Oversee and Govern OV Strategic Planning and Policy PL Cyber Workforce Developer and Manager 751 Develops cyberspace workforce plans strategies and guidance to support cyberspace workforce manpower personnel training and education requirements and to address changes to cyberspace policy doctrine materiel force structure and education and training requirements T0074 T0094 T0116 T0222 T0226 T0341 T0355 T0356 T0362 T0363 T0364 T0368 T0369 T0372 T0373 T0374 T0375 T0376 T0384 T0387 T0388 T0390 T0391 T0408 T0425 T0429 T0441 T0445 T0472 T0481 T0505 T0506 T0529 T0533 T0537 T0552 K0001 K0002 K0003 K0004 K0005 K0006 K0070 K0127 K0146 K0166 K0168 K0233 K0234 K0241 K0243 K0309 K0311 K0313 K0335 S0108 S0128 A0028 A0033 A0037 A0042 A0053 905 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Skills Abilities OV-PL-002 Oversee and Govern OV Strategic Planning and Policy Development Cyber Policy and Strategy Planner 752 Develops cyberspace plans strategy and policy to support and align with organizational cyberspace missions and initiatives T0074 T0094 T0222 T0226 T0341 T0369 T0384 T0390 T0408 T0425 T0429 T0441 T0445 T0472 T0505 T0506 T0529 T0533 T0537 K0001 K0002 K0003 K0004 K0005 K0006 K0070 K0127 K0146 K0168 K0234 K0248 K0309 K0311 K0313 K0335 None specified A0003 A0033 A0037 Work Role ID Category Specialty Area Work Role Name OV-EX-001 Executive Cyber Leadership EX Oversee and Govern OV Executive Cyber Leadership 901 Knowledge 906 105 NIST SP 800-181 DRAFT Work Role Description Tasks Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Executes decision making authorities and establishes vision and direction for an organization's cyber and cyber-related resources and or operations T0001 T0002 T0006 T0066 T0157 T0229 T0264 T0282 T0337 T0356 T0429 T0445 T0509 T0763 T0871 T0872 T0927 T0928 K0001 K0002 K0003 K0004 K0005 K0006 K0009 K0085 K0106 K0314 K0296 K0147 S0356 S0357 S0358 S0359 A0033 A0070 A0085 A0094 A0105 A0106 A0116 A0117 A0118 A0119 907 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities OV-PM-001 Oversee and Govern OV Acquisition and Program Project Management PM Program Manager 801 Leads coordinates communicates integrates and is accountable for the overall success of the program ensuring alignment with critical agency priorities T0066 T0072 T0174 T0199 T0220 T0223 T0256 T0273 T0277 T0302 T0340 T0354 T0377 T0379 T0407 T0412 T0414 T0415 T0481 T0493 T0551 K0001 K0002 K0003 K0004 K0005 K0006 K0047 K0048 K0072 K0090 K0101 K0120 K0146 K0148 K0154 K0164 K0165 K0169 K0194 K0196 K0198 K0200 K0235 K0257 K0270 S0038 A0009 A0039 A0045 A0056 908 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities OV-PM-002 Oversee and Govern OV Acquisition and Program Project Management PM Information Technology IT Project Manager 802 Directly manages information technology projects to provide a unique service or product T0072 T0174 T0196 T0199 T0207 T0208 T0220 T0223 T0256 T0273 T0277 T0340 T0354 T0370 T0377 T0379 T0389 T0394 T0407 T0412 T0414 T0415 T0481 T0493 T0551 K0001 K0002 K0003 K0004 K0005 K0006 K0012 K0043 K0047 K0048 K0059 K0072 K0090 K0101 K0120 K0146 K0148 K0154 K0164 K0165 K0169 K0194 K0196 K0198 K0200 K0235 K0257 K0270 S0038 A0009 A0039 A0045 A0056 909 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks OV-PM-003 Oversee and Govern OV Acquisition and Program Project Management PM Product Support Manager 803 Manages the package of support functions required to field and maintain the readiness and operational capability of systems and components T0072 T0174 T0196 T0204 T0207 T0208 T0220 T0223 T0256 T0273 T0277 T0302 T0340 T0354 T0370 T0377 T0389 T0394 T0412 T0414 T0493 T0525 T0551 T0553 106 NIST SP 800-181 DRAFT Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF K0001 K0002 K0003 K0004 K0005 K0006 K0043 K0048 K0059 K0072 K0090 K0120 K0148 K0150 K0154 K0164 K0165 K0169 K0194 K0196 K0198 K0200 K0235 K0249 K0257 K0270 S0038 A0009 A0031 A0039 A0045 A0056 910 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities OV-PM-004 Oversee and Govern OV Acquisition and Program Project Management PM IT Investment Portfolio Manager 804 Manages a portfolio of IT capabilities that align with the overall needs of mission and business enterprise priorities T0220 T0223 T0277 T0302 T0377 T0415 T0493 T0551 K0001 K0002 K0003 K0004 K0005 K0006 K0048 K0072 K0120 K0126 K0146 K0154 K0165 K0169 K0235 K0257 K0270 None specified A0039 911 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities OV-PM-005 Oversee and Govern OV Acquisition and Program Project Management PM IT Program Auditor 805 Conducts evaluations of an IT program or its individual components to determine compliance with published standards T0072 T0207 T0208 T0223 T0256 T0389 T0412 T0415 K0001 K0002 K0003 K0004 K0005 K0006 K0043 K0047 K0048 K0072 K0090 K0120 K0148 K0154 K0165 K0169 K0198 K0200 K0235 K0257 K0270 S0038 S0085 A0056 912 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge PR-DA-001 Protect and Defend PR Cyber Defense Analysis DA Cyber Defense Analyst 511 Uses data collected from a variety of cyber defense tools e g IDS alerts firewalls network traffic logs to analyze events that occur within their environments for the purposes of mitigating threats T0020 T0023 T0043 T0088 T0155 T0164 T0166 T0178 T0187 T0198 T0214 T0258 T0259 T0260 T0290 T0291 T0292 T0293 T0294 T0295 T0296 T0297 T0298 T0299 T0310 T0332 T0469 T0470 T0475 T0503 T0504 T0526 T0545 T0548 K0001 K0002 K0003 K0004 K0005 K0006 K0007 K0013 K0015 K0018 K0019 K0024 K0033 K0040 K0042 K0044 K0046 K0049 K0056 K0058 K0059 K0060 K0061 K0065 K0070 K0074 K0075 K0093 K0098 K0099 K0104 K0106 K0110 K0111 K0112 K0113 K0116 K0139 K0142 K0143 K0157 K0160 K0161 K0162 K0167 K0168 K0179 K0180 K0190 K0191 K0192 K0203 K0221 K0222 K0260 K0261 K0262 K0273 K0290 K0297 K0300 K0301 K0303 K0318 K0322 K0324 K0331 K0339 K0342 107 NIST SP 800-181 DRAFT Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF S0020 S0025 S0027 S0036 S0054 S0057 S0063 S0078 S0096 S0147 S0167 S0169 A0010 A0015 A0066 913 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities PR-INF-001 Protect and Defend PR Cyber Defense Infrastructure Support INF Cyber Defense Infrastructure Support Specialist 521 Tests implements deploys maintains and administers the infrastructure hardware and software T0042 T0180 T0261 T0335 T0348 T0420 T0438 T0483 T0486 K0001 K0002 K0003 K0004 K0005 K0006 K0021 K0033 K0042 K0044 K0062 K0104 K0106 K0135 K0157 K0179 K0205 K0258 K0274 K0324 K0331 K0334 K0340 S0007 S0053 S0054 S0059 S0077 S0079 S0121 S0124 None specified 914 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities PR-IR-001 Protect and Defend PR Incident Response IR Cyber Defense Incident Responder 531 Investigates analyzes and responds to cyber incidents within the network environment or enclave T0041 T0047 T0161 T0163 T0170 T0175 T0214 T0233 T0246 T0262 T0278 T0279 T0312 T0333 T0395 T0503 T0510 K0001 K0002 K0003 K0004 K0005 K0006 K0021 K0026 K0033 K0034 K0041 K0042 K0046 K0058 K0062 K0070 K0106 K0157 K0161 K0162 K0167 K0177 K0179 K0221 K0225 K0230 K0259 K0287 K0332 S0003 S0047 S0077 S0078 S0079 S0080 S0173 None specified 915 Work Role ID Category Specialty Area Work Role Name Work Role Description Skills Abilities PR-VA-001 Protect and Defend PR Vulnerability Assessment and Management VA Vulnerability Assessment Analyst 541 Performs assessments of systems and networks within the NE or enclave and identifies where those systems networks deviate from acceptable configurations enclave policy or local policy Measures effectiveness of defense-in-depth architecture against known vulnerabilities T0010 T0028 T0138 T0142 T0188 T0252 T0549 T0550 K0001 K0002 K0003 K0004 K0005 K0006 K0009 K0019 K0021 K0033 K0044 K0056 K0061 K0068 K0070 K0085 K0089 K0106 K0139 K0161 K0167 K0177 K0179 K0203 K0206 K0210 K0224 K0265 K0287 K0301 K0308 K0331 K0342 K0344 K0345 S0001 S0009 S0025 S0044 S0051 S0052 S0081 S0120 S0137 S0171 A0001 A0044 Work Role ID Category AN-TA-001 Analyze AN Tasks Knowledge 916 108 NIST SP 800-181 DRAFT Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Threat Analysis TA Warning Analyst 141 Develops unique cyber indicators to maintain constant awareness of the status of the highly dynamic operating environment Collects processes analyzes and disseminates cyber warning assessments T0569 T0583 T0584 T0585 T0586 T0589 T0593 T0597 T0615 T0617 T0660 T0685 T0687 T0707 T0708 T0718 T0748 T0749 T0751 T0752 T0758 T0761 T0783 T0785 T0786 T0792 T0800 T0805 T0834 K0001 K0002 K0003 K0004 K0005 K0006 K0036 K0058 K0173 K0348 K0349 K0362 K0369 K0370 K0377 K0392 K0395 K0405 K0409 K0415 K0417 K0427 K0431 K0436 K0437 K0440 K0444 K0445 K0446 K0449 K0458 K0460 K0464 K0469 K0471 K0480 K0511 K0516 K0556 K0560 K0561 K0565 K0603 K0604 K0610 K0612 K0614 S0194 S0196 S0203 S0211 S0218 S0227 S0228 S0229 S0249 S0256 S0278 S0285 S0288 S0289 S0296 S0297 S0303 A0066 A0072 A0075 A0080 A0082 A0083 A0084 A0087 A0088 A0089 A0091 A0101 A0102 A0106 A0107 A0109 917 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities AN-XA-001 Analyze AN Exploitation Analysis XA Exploitation Analyst 121 Collaborates to identify access and collection gaps that can be satisfied through cyber collection and or preparation activities Leverages all authorized resources and analytic techniques to penetrate targeted networks T0570 T0572 T0574 T0591 T0600 T0603 T0608 T0614 T0641 T0695 T0701 T0720 T0727 T0736 T0738 T0754 T0775 T0777 K0001 K0002 K0003 K0004 K0005 K0006 K0131 K0142 K0348 K0349 K0362 K0369 K0370 K0417 K0444 K0471 K0560 K0351 K0354 K0368 K0371 K0376 K0379 K0388 K0393 K0394 K0397 K0418 K0430 K0434 K0443 K0447 K0451 K0470 K0473 K0484 K0487 K0489 K0509 K0510 K0523 K0529 K0535 K0537 K0544 K0557 K0559 K0608 S0066 S0184 S0199 S0200 S0201 S0204 S0207 S0214 S0223 S0236 S0237 S0239 S0240 S0245 S0247 S0258 S0260 S0264 S0269 S0279 S0286 S0290 S0294 S0300 A0066 A0075 A0080 A0084 A0074 A0086 A0092 A0093 A0104 918 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks AN-AN-001 Analyze AN All-Source Analysis AN All-Source Analyst 111 Analyzes data information from one or multiple sources to conduct preparation of the environment respond to requests for information and submit intelligence collection and production requirements in support of planning and operations T0569 T0582 T0583 T0584 T0585 T0586 T0589 T0593 T0597 T0615 T0617 T0642 T0660 T0678 T0685 T0686 T0687 T0707 T0708 T0710 T0713 T0718 T0748 T0749 T0751 T0752 T0758 T0761 T0771 T0782 T0783 T0785 T0786 T0788 T0789 T0792 T0797 T0800 T0805 T0834 109 NIST SP 800-181 DRAFT Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF K0001 K0002 K0003 K0004 K0005 K0006 K0036 K0058 K0348 K0349 K0362 K0369 K0370 K0444 K0471 K0560 K0377 K0392 K0395 K0405 K0409 K0427 K0431 K0436 K0437 K0440 K0445 K0446 K0449 K0458 K0460 K0464 K0469 K0480 K0511 K0516 K0556 K0561 K0565 K0603 K0604 K0610 K0612 K0614 K0357 K0410 K0457 K0465 K0507 K0515 K0533 K0542 K0549 K0551 K0577 K0598 S0194 S0203 S0211 S0218 S0227 S0229 S0249 S0256 S0278 S0285 S0288 S0289 S0296 S0297 S0303 S0189 S0254 A0066 A0075 A0080 A0084 A0072 A0082 A0083 A0085 A0087 A0088 A0089 A0091 A0101 A0102 A0106 A0107 A0108 A0109 919 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities AN-AN-002 Analyze AN All-Source Analysis AN Mission Assessment Specialist 112 Develops assessment plans and measures of performance effectiveness Conducts strategic and operational effectiveness assessments as required for cyber events Determines whether systems performed as expected and provides input to the determination of operational effectiveness T0582 T0583 T0585 T0586 T0588 T0589 T0593 T0597 T0611 T0615 T0617 T0624 T0660 T0661 T0663 T0678 T0684 T0685 T0686 T0707 T0718 T0748 T0749 T0752 T0758 T0761 T0782 T0783 T0785 T0786 T0788 T0789 T0793 T0797 T0834 K0001 K0002 K0003 K0004 K0005 K0006 K0036 K0058 K0348 K0349 K0362 K0369 K0370 K0377 K0392 K0395 K0405 K0409 K0410 K0414 K0417 K0427 K0431 K0436 K0437 K0440 K0444 K0445 K0446 K0449 K0457 K0460 K0464 K0465 K0469 K0471 K0480 K0507 K0511 K0516 K0549 K0551 K0556 K0560 K0561 K0565 K0598 K0603 K0604 K0610 K0612 K0614 S0189 S0194 S0203 S0211 S0216 S0218 S0227 S0228 S0229 S0249 S0254 S0256 S0271 S0278 S0285 S0288 S0289 S0292 S0296 S0297 S0303 A0066 A0075 A0080 A0084 A0072 A0082 A0083 A0087 A0088 A0089 A0091 A0101 A0102 A0106 A0107 A0109 A0085 A0108 920 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks AN-TD-001 Analyze AN Targets TD Target Developer 131 Performs target system analysis builds and or maintains electronic target folders to include inputs from environment preparation and or internal or external intelligence sources Coordinates with partner target activities and intelligence organizations and presents candidate targets for vetting and validation T0597 T0617 T0707 T0582 T0782 T0797 T0588 T0624 T0661 T0663 T0684 T0642 T0710 T0561 T0594 T0599 T0633 T0650 T0652 T0688 T0717 T0731 T0744 T0769 T0770 T0776 T0781 T0790 T0794 T0798 T0799 T0802 T0815 T0824 T0835 110 NIST SP 800-181 DRAFT Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF K0001 K0002 K0003 K0004 K0005 K0006 K0036 K0058 K0142 K0173 K0348 K0349 K0362 K0369 K0370 K0444 K0471 K0560 K0392 K0395 K0409 K0427 K0431 K0436 K0437 K0440 K0445 K0446 K0449 K0460 K0464 K0516 K0556 K0561 K0565 K0603 K0604 K0614 K0457 K0465 K0507 K0549 K0551 K0598 K0417 K0458 K0357 K0533 K0542 K0351 K0379 K0473 K0381 K0402 K0413 K0426 K0439 K0461 K0466 K0478 K0479 K0497 K0543 K0546 K0547 K0555 S0194 S0203 S0218 S0227 S0229 S0249 S0256 S0278 S0285 S0288 S0289 S0296 S0297 S0189 S0228 S0216 S0292 S0196 S0187 S0205 S0208 S0222 S0248 S0274 S0287 S0302 A0066 A0075 A0080 A0084 A0087 A0088 A0089 A0091 A0101 A0102 A0106 A0109 A0085 A0073 921 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities AN-TD-002 Analyze AN Targets TD Target Network Analyst 132 Conducts advanced analysis of collection and open-source data to ensure target continuity to profile targets and their activities and develop techniques to gain more target information Determines how targets communicate move operate and live based on knowledge of target technologies digital networks and the applications on them T0617 T0707 T0582 T0797 T0624 T0710 T0599 T0650 T0802 T0595 T0606 T0607 T0621 T0653 T0692 T0706 T0715 T0722 T0745 T0765 T0767 T0778 T0803 T0807 K0001 K0002 K0003 K0004 K0005 K0006 K0348 K0349 K0362 K0369 K0370 K0444 K0471 K0392 K0395 K0431 K0436 K0440 K0445 K0449 K0516 K0379 K0473 K0413 K0439 K0479 K0547 K0487 K0544 K0559 K0389 K0403 K0424 K0442 K0462 K0472 K0483 K0500 K0520 K0550 K0567 K0592 K0599 K0600 S0194 S0203 S0229 S0256 S0228 S0196 S0187 S0205 S0208 S0222 S0248 S0274 S0287 S0177 S0178 S0181 S0183 S0191 S0197 S0217 S0219 S0220 S0225 S0231 S0234 S0244 S0246 S0259 S0261 S0262 S0263 S0268 S0277 S0280 S0291 S0301 A0066 A0075 A0080 A0084 A0087 A0088 A0089 A0091 A0101 A0102 A0106 A0109 A0085 A0073 922 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks AN-LA-001 Analyze AN Language Analysis LA Multi-Disciplined Language Analyst 151 Applies language and culture expertise with target threat and technical knowledge to process analyze and or disseminate intelligence information derived from language voice and or graphic material Creates and maintains language specific databases and working aids to support cyber action execution and ensure critical knowledge sharing Provides subject matter expertise in foreign languageintensive or interdisciplinary projects T0650 T0606 T0715 T0745 T0761 T0837 T0838 T0839 T0840 T0841 T0842 T0843 T0844 T0845 T0846 T0847 T0848 T0849 T0850 T0851 T0852 T0853 T0854 T0855 T0856 T0857 T0858 T0859 TO860 111 NIST SP 800-181 DRAFT Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF K0001 K0002 K0003 K0004 K0005 K0006 K0173 K0348 K0431 K0449 K0413 K0487 K0462 K0520 K0550 K0567 K0599 K0600 K0417 K0377 K0434 K0356 K0359 K0367 K0391 K0396 K0398 K0407 K0416 K0476 K0488 K0491 K0493 K0524 K0532 K0539 K0540 K0541 K0545 K0548 K0564 K0571 K0574 K0579 K0596 K0606 K0607 S0187 S0217 S0244 S0259 S0262 S0277 S0218 S0184 S0290 S0179 S0188 S0193 S0195 S0198 S0210 S0212 S0215 S0224 S0226 S0232 S0233 S0235 S0241 S0251 S0253 S0265 S0283 S0284 A0075 A0089 A0071 A0103 923 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities CO-CL-001 Collect and Operate CO Collection Operations CL All Source-Collection Manager 311 Identifies collection authorities and environment incorporates priority information requirements into collection management develops concepts to meet leadership's intent Determines capabilities of available collection assets identifies new collection capabilities and constructs and disseminates collection plans Monitors execution of tasked collection to ensure effective execution of the collection plan T0562 T0564 T0568 T0573 T0578 T0604 T0605 T0625 T0626 T0631 T0632 T0634 T0645 T0646 T0647 T0649 T0651 T0657 T0662 T0674 T0681 T0683 T0698 T0702 T0714 T0716 T0721 T0723 T0725 T0734 T0737 T0750 T0753 T0755 T0757 T0773 T0779 T0806 T0809 T0810 T0811 T0812 T0814 T0820 T0821 T0827 K0001 K0002 K0003 K0004 K0005 K0006 K0036 K0058 K0431 K0449 K0417 K0579 K0596 K0369 K0444 K0471 K0392 K0395 K0440 K0445 K0516 K0560 K0427 K0446 K0561 K0565 K0405 K0480 K0610 K0612 K0353 K0361 K0364 K0366 K0380 K0382 K0383 K0386 K0387 K0390 K0401 K0404 K0412 K0419 K0425 K0435 K0448 K0453 K0454 K0467 K0474 K0475 K0477 K0482 K0492 K0495 K0496 K0498 K0503 K0505 K0513 K0521 K0522 K0526 K0527 K0552 K0553 K0554 K0558 K0562 K0563 K0569 K0570 K0580 K0581 K0583 K0584 K0587 K0588 K0601 K0605 K0613 S0238 S0304 S0305 S0311 S0313 S0316 S0317 S0324 S0325 S0327 S0328 S0330 S0332 S0334 S0335 S0336 S0339 S0342 S0344 S0347 S0351 S0352 A0069 A0070 A0076 A0078 A0079 924 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks CO-CL-002 Collect and Operate CO Collection Operations CL All Source-Collection Requirements Manager 312 Evaluates collection operations and develops effects-based collection requirements strategies using available sources and methods to improve collection Develops processes validates and coordinates submission of collection requirements Evaluates performance of collection assets and collection operations T0564 T0568 T0578 T0605 T0651 T0714 T0725 T0734 T0809 T0810 T0811 T0565 T0577 T0580 T0596 T0602 T0613 T0668 T0673 T0675 T0682 T0689 T0693 T0694 T0730 T0746 T0780 T0819 T0822 T0830 T0831 T0832 T0833 112 NIST SP 800-181 DRAFT Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF K0001 K0002 K0003 K0004 K0005 K0006 K0036 K0058 K0431 K0417 K0579 K0596 K0369 K0444 K0395 K0445 K0516 K0560 K0427 K0446 K0561 K0565 K0480 K0610 K0612 K0353 K0361 K0364 K0366 K0380 K0382 K0383 K0384 K0386 K0387 K0390 K0401 K0404 K0412 K0419 K0421 K0425 K0435 K0448 K0453 K0454 K0467 K0474 K0475 K0477 K0482 K0492 K0495 K0496 K0498 K0505 K0513 K0521 K0526 K0527 K0552 K0554 K0558 K0562 K0563 K0568 K0569 K0570 K0580 K0581 K0584 K0587 K0588 K0605 S0304 S0305 S0316 S0317 S0327 S0330 S0334 S0335 S0336 S0339 S0344 S0347 S0352 S0329 S0337 S0346 S0348 S0353 A0069 A0070 A0078 925 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities CO-PL-001 Collect and Operate CO Cyber Operational Planning PL Cyber Intel Planner 331 Develops detailed intelligence plans to satisfy cyber operations requirements Collaborates with cyber operations planners to identify validate and levy requirements for collection and analysis Participates in targeting selection validation synchronization and execution of cyber actions Synchronizes intelligence activities to support organization objectives in cyberspace T0734 T0563 T0575 T0576 T0579 T0581 T0587 T0590 T0592 T0601 T0627 T0628 T0630 T0636 T0637 T0638 T0639 T0640 T0648 T0656 T0659 T0667 T0670 T0676 T0680 T0690 T0691 T0705 T0709 T0711 T0719 T0726 T0728 T0733 T0735 T0739 T0743 T0760 T0763 T0772 T0784 T0801 T0808 T0816 T0836 K0001 K0002 K0003 K0004 K0005 K0006 K0036 K0173 K0431 K0417 K0444 K0395 K0445 K0560 K0427 K0446 K0561 K0565 K0480 K0610 K0612 K0435 K0471 K0392 K0440 K0405 K0348 K0377 K0349 K0362 K0370 K0436 K0379 K0403 K0460 K0464 K0556 K0603 K0614 K0465 K0507 K0598 K0511 K0414 K0577 K0347 K0350 K0352 K0355 K0358 K0374 K0378 K0399 K0400 K0408 K0411 K0422 K0432 K0441 K0455 K0456 K0459 K0463 K0494 K0501 K0502 K0504 K0506 K0508 K0512 K0514 K0517 K0518 K0519 K0525 K0538 K0566 K0572 K0575 K0578 K0582 K0585 K0586 K0589 K0590 K0591 K0593 K0594 K0595 K0602 S0218 S0203 S0249 S0278 S0296 S0297 S0176 S0185 S0186 S0213 S0250 S0272 S0273 S0306 S0307 S0308 S0309 S0310 S0312 S0314 S0315 S0318 S0319 S0320 S0321 S0322 S0323 S0331 S0333 S0338 S0340 S0341 S0343 S0345 S0350 A0066 A0070 A0075 A0089 A0085 A0082 A0074 A0067 A0068 A0077 A0081 A0090 A0094 A0096 A0098 A0105 926 Work Role ID Category Specialty Area Work Role Name Work Role Description CO-PL-002 Collect and Operate CO Cyber Operational Planning PL Cyber Ops Planner 332 Develops detailed plans for the conduct or support of the applicable range of cyber operations through collaboration with other planners operators and or analysts Participates in targeting selection validation synchronization and enables integration during the execution of cyber actions 113 NIST SP 800-181 DRAFT Tasks Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF T0734 T0563 T0579 T0581 T0592 T0627 T0628 T0640 T0648 T0667 T0670 T0680 T0690 T0719 T0733 T0739 T0743 T0763 T0772 T0801 T0836 T0571 T0622 T0635 T0654 T0655 T0658 T0665 T0672 T0679 T0699 T0703 T0704 T0732 T0741 T0742 T0747 T0764 T0787 T0791 T0795 T0813 T0823 K0001 K0002 K0003 K0004 K0005 K0006 K0036 K0173 K0431 K0417 K0444 K0395 K0445 K0560 K0446 K0561 K0565 K0480 K0610 K0612 K0435 K0471 K0392 K0348 K0377 K0349 K0362 K0370 K0436 K0379 K0403 K0464 K0556 K0603 K0614 K0465 K0507 K0598 K0511 K0414 K0347 K0350 K0352 K0374 K0378 K0399 K0400 K0408 K0411 K0422 K0432 K0455 K0494 K0501 K0502 K0504 K0506 K0508 K0512 K0514 K0518 K0519 K0525 K0538 K0566 K0572 K0582 K0585 K0586 K0589 K0590 K0593 K0594 K0516 K0497 K0534 K0576 K0597 S0218 S0249 S0296 S0297 S0176 S0185 S0186 S0213 S0250 S0273 S0309 S0312 S0322 S0333 S0209 S0326 S0349 A0066 A0070 A0075 A0089 A0085 A0082 A0074 A0067 A0068 A0077 A0081 A0090 A0094 A0096 A0098 A0105 927 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities CO-PL-003 Collect and Operate CO Cyber Operational Planning PL Partner Integration Planner 333 Works to advance cooperation across organizational or national borders between cyber operations partners Aids the integration of partner cyber teams by providing guidance resources and collaboration to develop best practices and facilitate organizational support for achieving objectives in integrated cyber actions T0581 T0627 T0670 T0739 T0763 T0772 T0836 T0571 T0635 T0665 T0699 T0732 T0747 T0764 T0787 T0795 T0823 T0601 T0760 T0784 T0629 T0666 T0669 T0671 T0700 T0712 T0729 T0759 T0762 T0766 T0817 T0818 T0825 T0826 K0001 K0002 K0003 K0004 K0005 K0006 K0173 K0431 K0417 K0444 K0395 K0435 K0392 K0348 K0377 K0362 K0370 K0436 K0379 K0403 K0465 K0507 K0598 K0511 K0414 K0350 K0374 K0400 K0408 K0411 K0422 K0432 K0455 K0501 K0504 K0506 K0508 K0512 K0514 K0538 K0585 S0218 S0249 S0296 S0297 S0185 S0186 S0213 S0250 S0326 A0066 A0070 A0075 A0089 A0085 A0082 A0074 A0067 A0068 A0077 A0081 A0090 A0094 A0096 A0098 A0105 928 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks CO-OP-001 Collect and Operate CO Cyber Operations OP Cyber Operator 321 Conducts collection processing and or geolocation of systems in order to exploit locate and or track targets of interest Performs network navigation tactical forensic analysis and when directed executing on-net operations T0566 T0567 T0598 T0609 T0610 T0612 T0616 T0618 T0619 T0620 T0623 T0643 T0644 T0664 T0677 T0696 T0697 T0724 T0740 T0756 T0768 T0774 T0796 T0804 T0828 T0829 114 NIST SP 800-181 DRAFT Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF K0001 K0002 K0003 K0004 K0005 K0006 K0142 K0370 K0379 K0403 K0560 K0565 K0480 K0516 K0427 K0440 K0430 K0537 K0608 K0360 K0363 K0365 K0372 K0373 K0375 K0406 K0420 K0423 K0428 K0429 K0433 K0438 K0452 K0468 K0481 K0485 K0486 K0528 K0530 K0531 K0536 K0573 K0609 S0062 S0183 S0236 S0182 S0190 S0192 S0202 S0206 S0221 S0242 S0243 S0252 S0255 S0257 S0266 S0267 S0270 S0275 S0276 S0281 S0282 S0293 S0295 S0298 S0299 A0095 A0097 A0099 A0100 929 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities IN-CI-001 Investigate IN Cyber Investigation Cyber Crime Investigator 221 Identifies collects examines and preserves evidence using controlled and documented analytical and investigative techniques Note Several of these activities may only to be conducted by personnel with a Law Enforcement or Counter Intelligence Authority T0031 T0059 T0096 T0103 T0104 T0110 T0112 T0113 T0114 T0120 T0225 T0241 T0343 T0346 T0360 T0386 T0423 T0430 T0433 T0453 T0471 T0479 T0523 K0001 K0002 K0003 K0004 K0005 K0006 K0070 K0114 K0118 K0123 K0128 K0144 K0168 K0231 K0244 K0251 S0047 S0068 S0072 S0086 S0165 None specified 930 Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities IN-FO-001 Investigate IN Digital Forensics FO Forensics Analyst 211 Conducts deep-dive investigations on computer-based crimes establishing documentary or physical evidence to include digital media and logs associated with cyber intrusion incidents T0067 T0076 T0096 T0115 T0146 T0484 T0220 T0235 T0273 T0297 T0398 T0401 T0403 T0411 T0425 T0421 T0424 T0440 T0482 T0490 T0507 T0274 T0059 T0541 T0558 T0078 T0427 T0402 T0419 T0420 T0542 T0308 T0447 K0001 K0002 K0003 K0004 K0005 K0006 K0017 K0021 K0042 K0060 K0070 K0077 K0078 K0099 K0109 K0117 K0118 K0119 K0122 K0123 K0125 K0128 K0131 K0132 K0133 K0134 K0145 K0155 K0156 K0167 K0168 K0179 K0182 K0183 K0184 K0185 K0186 K0187 K0188 K0189 K0305 S0032 S0046 S0047 S0062 S0065 S0067 S0068 S0069 S0071 S0073 S0074 S0075 S0087 S0088 S0089 S0090 S0091 S0092 S0093 A0005 931 115 NIST SP 800-181 DRAFT Work Role ID Category Specialty Area Work Role Name Work Role Description Tasks Knowledge Skills Abilities NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF IN-FO-002 Investigate IN Digital Forensics FO Cyber Defense Forensics Analyst 212 Analyzes digital evidence and investigates computer security incidents to derive useful information in support of system network vulnerability mitigation T0027 T0036 T0048 T0049 T0075 T0087 T0103 T0113 T0165 T0167 T0168 T0172 T0173 T0175 T0179 T0182 T0190 T0212 T0216 T0240 T0241 T0253 T0279 T0285 T0286 T0287 T0288 T0289 T0312 T0396 T0397 T0398 T0399 T0400 T0401 T0432 T0532 T0543 T0546 K0001 K0002 K0003 K0004 K0005 K0006 K0018 K0021 K0042 K0060 K0070 K0077 K0078 K0099 K0109 K0117 K0118 K0119 K0122 K0123 K0125 K0128 K0131 K0132 K0133 K0134 K0145 K0155 K0156 K0167 K0168 K0179 K0182 K0183 K0184 K0185 K0186 K0187 K0188 K0189 K0224 K0254 K0255 K0301 K0304 K0347 S0032 S0047 S0062 S0065 S0067 S0068 S0069 S0071 S0073 S0074 S0075 S0087 S0088 S0089 S0090 S0091 S0092 S0093 S0131 S0132 S0133 A0005 A0043 932 116 NIST SP 800-181 DRAFT 933 934 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Appendix C—Acronyms Selected acronyms and abbreviations used in this paper are defined below API CAE CDS CIO CMMI CNSSI COMSEC COTR CSF CSIP DNS EISA FISMA FOIA HR IDS IP IPS IR IRT ISD ITL KSA LAN NCWF NICE OLA OMB OPM OS OSI P L PCI PHI PIA PII PKI R D RFID RMF SA A SDLC SLA Application programming interface Centers of Academic Excellence Cross-Domain Solutions Chief Information Officer Capability Maturity Model Integration Committee on National Security Systems Instruction Communications Security Contracting Officer's Technical Representative Cybersecurity Framework Cybersecurity Strategy and Implementation Plan Domain Name System Enterprise information security architecture Federal Information Security Modernization Act Freedom of Information Act Human Resource Intrusion detection system Internet Protocol Intrusion Prevention System Incident Response Incident Response Teams Instructional System Design Information Technology Laboratory Knowledge skills and abilities Local area network National Cybersecurity Workforce Framework National Initiative for Cybersecurity Education Operating-Level Agreement Office of Management and Budget Office of Personnel Management Operating system Open System Interconnection Public Law Payment Card Industry Personal Health Information Privacy Impact Assessments Personally Identifiable Information Public key infrastructure Research and Design Radio Frequency Identification Risk Management Framework Security Assessment and Authorization System development life cycle Service-Level Agreements 117 NIST SP 800-181 DRAFT SOP SQL TCP TTP URL VPN WAN NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Standard operating procedures Structured query language Transmission Control Protocol Tactics techniques and procedures Uniform Resource Locator Virtual Private Network Wide Area Network 935 118 NIST SP 800-181 DRAFT 936 NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF Appendix D—References 1 National Initiative for Cybersecurity Education National Cybersecurity Workforce Framework ver 1 0 http csrc nist gov nice framework national_cybersecurity_workforce_framework_0 3_2013_version1_0_interactive pdf 2 National Initiative for Cybersecurity Education National Cybersecurity Workforce Framework ver 2 0 http csrc nist gov nice framework DraftNationalCybersecurityWorkforceFramewor kV2 xlsx 3 Cybersecurity Framework National Institute of Standards and Technology Website http www nist gov cyberframework 4 M Ennis Competency Models A Review of the Literature and The Role of the Employment and Training Administration ETA Employment and Training Administration U S Department of Labor January 29 2008 https www careeronestop org competencymodel Info_Documents OPDRLiterature Review pdf 5 U S Department of Education Office of Career Technical and Adult Education Employability Skills Framework Web Site http cte ed gov employabilityskills 6 Mapping – NSA DHS Knowledge Unit to NICE Framework 2 0 National Centers of Academic Excellence in IA CD https www iad gov NIETP documents Requirements NSA_DHS_CAE_KU_Mappi ng_to_NICE_FW_2 0 pdf 7 Office of Management and Budget OMB Federal Cybersecurity Workforce Strategy OMB Memorandum 16-15 July 12 2016 https www whitehouse gov sites default files omb memoranda 2016 m-16-15 pdf 8 U S Department of Labor Employment and Training Administration ETA Website https www doleta gov 9 U S Department of Homeland Security Cybersecurity Workforce Development Toolkit CDWT https niccs us-cert gov workforce-development cybersecurityworkforce-development-toolkit 10 Baldrige Cybersecurity Excellence Program National Institute of Standards and Technology Website https www nist gov baldrige products-services baldrigecybersecurity-initiative 11 U S Department of Homeland Security CMSI PushButtonPD™ Tool Website https niccs us-cert gov workforce-development dhs-cmsi-pushbuttonpd-tool 12 Executive Order no 13636 Improving Critical Infrastructure Cybersecurity DCPD201300091 February 12 2013 http www gpo gov fdsys pkg FR-2013-0219 pdf 2013-03915 pdf 119 NIST SP 800-181 DRAFT NICE CYBERSECURITY WORKFORCE FRAMEWORK NCWF 13 NIST Roadmap for Improving Critical Infrastructure Cybersecurity National Institute of Standards and Technology February 12 2014 https www nist gov sites default files documents cyberframework roadmap021214 pdf 14 National Initiative for Cybersecurity Education National Institute of Standards and Technology Website http csrc nist gov nice 15 Draft NIST Special Publication SP 800-160 Systems Security Engineering Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems National Institute of Standards and Technology Gaithersburg Maryland September 2016 261pp http csrc nist gov publications drafts 800160 sp800_160_final-draft pdf 937 120