Virginia adopts cybersecurity framework to get everyone speaking the same language

In what is just one in a string of recent cybersecurity announcements, Gov. Terry McAuliffe declared Thursday that Virginia is the first state to adopt the National Initiative for Cyber Security Education (NICE) Framework, developed by the National Institute of Standards and Technology, in an official capacity.

The latest version of the framework — also known as NIST Special Publication 800-181 — was published earlier this month, with the intention of providing a “common, constant lexicon” for a fast-growing industry in which everyone seems to have a different name for the same thing. The state is not the first to consult the framework, nor is it mandating that any organization within the state use it, but it’s the first state to officially endorse the guideline as an important ingredient for any university, business or government organization interested in supporting a coherent cybersecurity ecosystem.

McAuliffe, a Democrat who has positioned himself as a leader of states-driven cybersecurity initiatives since taking office in 2014, said Virginia’s integration of the NICE Framework into existing hiring and education efforts will help meet the demand for the state’s some 36,000 unfilled cybersecurity positions. The governor’s announcement makes official and is expected to unify pockets of adoption throughout the state, which already include the state’s apprenticeship programs and some community colleges.

The hope, said Virginia Secretary of Technology Karen Jackson, is that organizations will begin picking up this workforce framework, just as they did following the state’s adoption of NIST’s National Cybersecurity Framework in 2014.

“Everything we do in the cyber world, through the CIO, CISO — Nelson [Moe] and Mike [Watson] — all of it somehow ties back and has a nexus to that [2014] framework,” Jackson said. “This [announcement] will allow us to have a much broader and more integrated conversation about the framework. We’re going to use it for tagging our own jobs, we’re going to use it for workforce development, we’re going to use it for curriculum development and when you start getting those three together, if we can manage to promote this to industry, then we can start having a very powerful conversation.”

In speaking with industry commissioners, Jackson said she learned that everyone brags on their resume about being a “cybersecurity expert,” but without precise and widely-adopted terminology to describe skill sets, there will continue to be confusion as workers move between and collaborate across university, government and private industry.

NICE Director Rodney Petersen told StateScoop the organization does not track which states have adopted the NICE Framework or to what extent — only that there are anecdotes of states having referenced it. It is also gaining popularity through adoption by the National Centers of Academic Excellence operated by the National Security Agency and the Department of Homeland Security, Petersen noted.

“It is also being used by training and certification organizations to map industry-recognized certifications to the knowledge, skills, and abilities contained within the NICE Framework,” Petersen said in an email to StateScoop. “The more it is used across government (federal and state), academia, training organizations, and private sector employers, the more we can move as a nation towards a common definition of the problem and solution for addressing our nation’s cybersecurity workforce shortage.”

In North America, 68 percent of professionals believe their departments have too few cybersecurity workers, according to a report released earlier this year by the Center for Cyber Safety and Education and ISC2. Globally, market research firm Frost & Sullivan predict there will be 1.8 million unfilled cybersecurity positions by 2022.

“If industry uses it, academia uses it, government uses it,” Jackson said, “suddenly everybody’s talking in the same way about cyber positions and suddenly the training we do is relevant to government jobs, it’s relevant to private sector jobs, because we’re finally all speaking a common language.”