Introducing the Digital Forensics Analyst Role Based on the NIST NICE Cybersecurity Workforce Framework

We at Pluralsight have seen an increase among both US public sector and global private sector companies utilizing the NIST National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (commonly referred to as the NICE Framework) to define their work roles in the information and cybersecurity sector. For many years there has been no single, agreed-upon, global source for organizations to assess their cybersecurity workforces, identify critical gaps in cybersecurity staffing, identify training needs, and improve job descriptions and requirements for recruitment. The mission of NICE is to “energize and promote a robust network and an ecosystem of cybersecurity education, training, and workforce development," according to [its website] (https://www.nist.gov/itl/applied-cybersecurity/nice).

The NICE Cybersecurity Workforce Framework, as seen in the NIST Special Publication 800-181, is a resource that categorizes and describes cybersecurity work. It establishes a common lexicon that can be used to describe cybersecurity work, regardless of where or for whom the work is performed.

The first version of the NICE Framework was published in 2012, and at that time it had been built to provide a standard for roles within the federal government. The 2014 version included input from the private sector, however, the current version published in 2017 had a goal of emphasizing private sector applicability. The Special Publication explains that the NICE Framework is comprised of the following components:

• Categories (7) – A high-level grouping of common cybersecurity functions

• Specialty Areas (33) – Distinct areas of cybersecurity work

• Work Roles (52) – The most detailed groupings of cybersecurity work comprised of specific knowledge, skills, and abilities (KSAs) required to perform tasks in a work role

• Capability Indicators – A combination of education, certification, training, experiential learning, and continuous learning attributes that could indicate a greater likelihood of success for given work role

Using the components of the NICE Framework not only helps organizations to document the constituent parts of a role, it also provides clarity about what someone performing that role will be required to know and do. The Special Publication calls out the following use cases:

• Inventory and track their cybersecurity workforce to gain a greater understanding of the strengths and gaps in knowledge, skills, and abilities, and tasks performed
• Identify training and qualification requirements to develop critical knowledge, skills, and abilities to perform cybersecurity tasks
• Improve position descriptions and job vacancy announcements by selecting relevant KSAs and tasks once work roles and tasks are identified
• Identify the most relevant work roles and develop career paths to guide staff in gaining the requisite skills for those roles
• Establish a shared terminology between hiring managers and human resources (HR) staff for the recruiting, retention, and training of a highly-specialized workforce

At Pluralsight, we are in the process of creating content for a new role profile: a Digital Forensic Analyst. This role has been created utilizing the NIST NICE Cybersecurity Workforce Framework knowledge, skills, abilities (KSAs), and tasks outlined in the Cyber Defense Forensics Analyst work role (IN-FOR-002). The role also maps to the KSAs and tasks outlined in the DoD Cyber Workforce Framework (DCWF) Cyber Defense Forensics Analyst work role (ID: 212).

The Pluralsight role will consist of three compulsory skills and one optional skill. The first skill can be seen here: Digital Forensics: Foundations. This will contain six courses, three of which have been published to date. The remaining courses and skills await production.

To enable learners to better understand the constituent parts of the role, skills, and courses, we have produced a visualization. To assist we have overlaid the KSA & T identification numbers for reference.

We are also in the process of completing a second role: Cyber Crime Investigator IN-INV-001 (DCWF Work Role ID: 221). In this role, the post holder identifies, collects, examines, and preserves evidence using controlled and documented analytical and investigative techniques. This role and the related courses will be coming soon.

Additional resources for the NICE Cybersecurity Workforce Framework can be found here:

• Presentations and overviews of the framework can be found here.
• An Excel spreadsheet setting out the framework, specialty areas and work role can be found in this table.
• The CyberSeek website is an interactive career pathway tool that also provides a jobs heat map that shows cybersecurity jobs across the U.S. by state and metropolitan area.