NIST revises cybersecurity training special publication


The National Institute of Standards and Technology released Wednesday a public draft of a special publication governing federal agency cybersecurity role-based training.

In the draft – NIST SP 800-16 R. 1, second draft, version two (.pdf) – NIST notes that training differs from education, with the latter being led by the National Initiative for Cybersecurity Education. The NICE workforce taxonomy released in 2011 provides a framework for the education of cybersecurity workers, the draft says, whereas this NIST special publication focuses on how all federal workers will ensure government is information is secure.

"For example, a pilot is educated on the aerodynamics of an aircraft, and trained on how to fly the aircraft," it adds.

Nor is information security the purview of just cybersecurity workers. "Each individual that owns, uses, relies on, or manages information and information systems must fully understand their specific security responsibilities," the draft states.

Training should be tailored to the roles that workers have in federal agencies, it adds – and roles "are not simply job titles."

It describes "for illustrative purposes" three competency levels, ranging from basic to expert. Agencies should construct an enterprisewide training program by beginning with a need assessment to identify gaps in the current training program or identify roles within functions which require training. The second step is to identify knowledge and skills for which workers need training. Then, the two steps are correlated along with a determination to what competency level individuals in roles require training toward – at which point training should occur followed by an evaluation.

This being a NIST document, the draft provides a catalog of knowledge and skill categories broken down into individual elements – for example "Skill in security impact analysis of changes to the configuration" within the "Configuration Management" category. It also provides sample matrices for role-based training categorized according to functional and role areas. For example within the "operate and maintain" function, there could be the role area of "network services" broken down into 11 different roles, such as "network administrator" or "continuous monitoring executer."

The draft proposes matching each of those roles to knowledge and skills, categorized according to competencies – All, Manage, Design, Implement and Evaluate.

Comments are due by Nov. 30.

For more:
- download NIST SP 800-16 R. 1, second draft, version two (.pdf)

Related Articles:
Cybersecurity an occupation, not a profession, says report
Federal cybersecurity workforce study highlights age, training needs
DHS must improve cybersecurity professional recruitment, career path