NIST draft cyber framework spotlights workforce woes

futuristic cyberwar

When the National Institute of Standards and Technology released a new draft cybersecurity framework on Oct. 22, it fleshed out some parts of the August version that came before it, while still leaving other questions unanswered.

Perhaps the most noticeable update, however, is the addition of the cybersecurity workforce as an area for improvement. While it is not a surprise to see the workforce incorporated as part of a holistic approach to cybersecurity, the inclusion in the draft framework underscores the broader government- and industry-wide concerns.

It is more than just filling the seats at the network controls – the cybersecurity workforce the framework references, boosted by input from industry and government – encompasses a deeper understanding of cyber risks and how they affect a specific sector, organization, department or system.

"The workforce was a common point as we analyzed responses" to NIST requests for information and public workshops related to the framework development, said Kevin Stine, manager of the security outreach and integration group at NIST's IT laboratory computer division group. "It's generally known there is a shortage of cybersecurity experts, and what we observed and heard through the RFI process was that there's even more of a shortage with the understanding of critical infrastructure challenges that exist today. Through the RFI response process and analysis, we've identified several common points highlighting needs in the workforce."

The NIST side of the workforce coin has less to do with the overall shortage of cyber pros, and more to do with the very specific requirements in critical infrastructure and its distinct threats, technology and landscapes – and the evolving practices that must keep up with that, which the framework aims to help do.

"It's about understanding what the current needs are, understanding what the future needs will be based on the environment and mission space, and then being able to identify and develop resources to help not only understand those needs but begin to fill the workforce gaps -- hiring, acquisition, training resources," Stine said.

The workforce target fits in with broader NIST initiatives as well as those within other parts of the federal government, including the Homeland Security Department.

Throughout the process, "we heard from stakeholders about the need for a workforce that considers cybersecurity from the business aspect, the legal aspect, the technical aspect – there's still a great need there, and the federal government has started to recognize that with programs like the National Initiative for Cybersecurity Education," which NIST leads with the help of other federal agencies, said Donna Dodson, NIST deputy cybersecurity adviser. Dodson spoke Oct. 25 as part of a U.S. Telecom event in Washington.

Those efforts have launched "to make sure we do have a workforce that understands, is aware and has the tools and skills that we need to be able to ensure the cybersecurity concepts discussed in the framework, that risk-management approach, is something that people understand as they're building next-generation capabilities," Dodson said. "So really we see that there is a great need for that kind of expertise and talent throughout the nation, and therefore we've reflected that in the framework as something that needs to be addressed."

About the Author

Amber Corrin is a former staff writer for FCW and Defense Systems.

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Tue, Jan 28, 2014 Jim Overby 3 USA

The problem is simple. You have hundreds of thousands of "hackers" attacking a solution designed by only 20 or 30 people. Eventually, unless the small group is significantly "ahead" of them, the large group will find things the small group missed. The answer is to empower the small group with "technology leverage" that negates the numbers.

Thu, Oct 31, 2013

Look, you have the same problem in private industry that you have in federal government. Just look at the threat and incident reports. What counts is how soon or if the adversary is discovered. Most of the IT systems are out-sourced to companies already. Just most businesses have the ability to spin the news. The mission side of government is looking for a magic bullet even though they say they aren't. They are looking to save money and that is by removing layers of defense including compliance standards such as change control, testing and planning. A mature organization has multiple layers for cyber program. Cyber program takes tending and renewal. Buying a tool that assesses a set of technical controls and training staff to operate it will work only so long and then the adversary learns how to circumvent it, in addition it only looks at a subset of security concerns. The important piece is that you have other layers in place to detect when its been circumvented. Everyone is saying that they don't want to follow the old set of rules and standards, but then you have people ignoring the electrical codes and stuffing equipment in too small of places to save money and having them arc and putting the project back by 18 months- see one agency's latest screw-up in a past month's GCN report. But I bet that security person knew everything about big data and the latest cyber analytics. There are reasons for standards and codes and right now with financial pressures they are looking to new recruits that have little experience with these pesky standards, big projects or an understanding of what really holistic means. The first administration solution in 2009 was to toss as much as possible to the cloud. People realized belatedly that these new companies didn't understand the basics in security beyond availability and encryption let alone the need for transparency. Look at the latest IT web screw-up. Not testing from end to end? Curious how many of these programmers were trained in secure programming techniques or came straight out of college. Adversaries look for these apps to attack. I really wonder how seasoned the PM and IT Team Leader were in this current fiasco. Of course being able to say no to changes in the last 6 months of a project would have been the key. The explanation should have been "I can add this change if you give me 6 months to test. No? Then wait to next release." Remember, both Amazon, Sony and Google have been hacked in the last 5 years, so pay scale isn't everything but it is nice to have. The problem is not new. The enemy is quicker and we need some new tools and techniques. And fewer fools rushing in to the rescue. Incidents are happening now because of these fools convincing management in the last four years to waive basic security controls and practices in order to save money on resources that could have been fixing the issues.

Mon, Oct 28, 2013

You want to fix the Cyber Security workforce in the Federal Government, fix your pay scale. You want highly qualified individuals guarding your network, you have to pay for highly qualified individuals. Opposite of what's being espoused by Congress and the like, federal pay and private sector pay are way out of scale, only I'm paid way more in the private sector than offers given for federal positions, and that's before you throw in the furloughs and shut downs.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group