© 2015 Carnegie Mellon University

Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213

State of Cyber Workforce DevelopmentMarie Baker26 June 2015

2

Overview

US Cyber Preparedness

Training Initiatives

Training and Awareness Resources

The Way Ahead for Training

3

Current State of Affairs

High Dependence on Cyberspace = Highly Vulnerable to Devastation in event of attack

Equipment evolving, software more complex, threats getting smarter

Confidence in US cyber preparedness weak• Lack of skilled professionals

2014

2013

2014

2014

4

One Standard

Keith AlexanderRetired four-star Army General

Former NSA Director

“Whether we do our cyber-training at one school or at multiple schools, the training

will have to be executed to one standard. I think that’s what we need to do so that the

combatant commanders and the forces in the field know that whether they get a

soldier, marine, airman or sailor, that person is trained to a standard and can

accomplish the mission that is expected of them”

5

Training Initiatives

DoD 8570.01DoD 8140USCYBERCOM Joint Cyberspace Training & Certification Standards (JCT&CS)National Initiative for Cybersecurity Education (NICE)

DISA Operationally Focused CYBER Training FrameworkCERT Approach to Cybersecurity Workforce Development

6

DoD 8570

Information Assurance Training, Certification, and Workforce Management

Enterprise-wide solution to train, qualify, and manage DoD IA workforce

Right people with the right skills in the right position

All IA positions categorized as IAT, IAM, IASAE, or CNDSP• Assigned level or specialty

• Trained at baseline requirement, obtain certification

All personnel performing IA functions must obtain certification and/or certificate of training within 6 months of being hired

7

DoD Approved 8570 Baseline CertificationsIAT Level I IAT Level II IAT Level III

A+Network+CESSCPCCNA – Security

GSECSecurity+CESSCPCCNA-Security

CISA GCIHCISSP CASP GCED

IAM Level I IAM Level II IAM Level III

CAPGSLCSecurity+CE

CAP CASPGSLCCISM CISSP

GSLCCISMCISSP

IASAE I IASAE II IASAE IIICISSPCASPCSSLP

CISSPCASPCSSLP

CISSP–ISSEPCISSP–ISSAP

CNDSPAnalyst

CNDSP InfraSupport

CNDSP IncidentResponder

CNDSP Auditor CNDSP Manager

GCIACEHGCIH

SSCPCEH

GCIHCEHGCFA

CISAGSNACEH

CISSP–ISSMPCISM

8

DoD 8140

Cyberspace Workforce Management Policy Update

Expected to replace 8570, conflicting release dates

Comprehensive view of cybersecurity workforce including:• Architects, Software Engineers Law enforcement, Intelligence

Levels I, II, III to be qualification levels:• Apprentice, Journeyman, Master

Integrating NICE job skills and USCYBERCOM mission area requirements

Compliance included in DoD inspection programs

9

8140 Categories and Tasks

http://diarmfs.com/dod-8140/

10

USCYBERCOM Joint Cyberspace Training & Certification Standards (JCT&CS)

Common, arduous standards for individuals and collectives

Patterned after JTS 4 phases and linked to mission

• Requirements, Planning, Execution, Assessment

Prioritized list of essential tasks, their conditions, andmeasurable standards to accomplish a mission (JMETL)

Training plans based on JMETL and baseline standards

11

National Initiative for Cybersecurity Education (NICE)Established in response to the Comprehensive National Cybersecurity Initiative (CNCI)

Initiative to enhance the cybersecurity posture of the US through the availability of cybersecurity training resources

Awareness, Education, and Workforce components

Cybersecurity Workforce Framework designed to provide a common taxonomy to categorize workers

12

National Cybersecurity Workforce Framework

Initially published 2011, addresses need for• Standard terminology• Cyber workforce position descriptions• Required knowledge, skills, abilities

7 categories• Overarching framework structure• Groups related specialty areas

31 specialty areas• Contains common tasks and KSAs

http://csrc.nist.gov/bice/framework/

13

DISA Operationally Focused CYBER Training Framework

Robust training and certification program designed around “one standard”

Role-based and crew certification that are mission-specific• Crew certification is composition of role-based operators

Uses JCT&CS and NICE for work-role definitions, associated tasks and KSAs to create roles-tools training matrix

• Roles-to-Tools• Tools-to-Tools• Roles-to-Roles interactions

14

CERT Approach to Cybersecurity Workforce Development

Continuous phases

15

Cyber Training and Workforce Development Resources

16

National Initiative for Cybersecurity Careers and Studies (NICCS)DHS cybersecurity workforce portal

Vast resource for exploring cybersecurity• Career paths• Degree programs• Training and education sources• Expansion of the NICE Framework and resources to support its

use by public and private sector

17

Federal Virtual Training Environment (FedVTE)LMS managed through DHS

Aims to help workforce maintain expertise and foster operational readiness

Classroom delivery converted to online format

• Lectures• Video demonstrations• Quizzes

Freely available to federal workforce 24/7, saving millions in travel and training costs

https://fedvte.usalearning.gov

18

National Centers of Academic Excellence

Jointly sponsored by DHS and NSA

Higher educational institutions recognized as field leaders

181 centers in 43 states

19

CyberCorps Scholarship for Service

Established to help increase the number of qualified students entering the field of cybersecurity

Full scholarships for college students

Grant recipient commits to employment with federal government

$45M budget, 150-160 graduates per year

20

STEM Initiatives

Science, Technology, Engineering, and Math fields of study.

Began to address lack of skilled candidates for high-tech jobs

Typically taught in isolation instead of within curriculum

Efforts underway to integrate cybersecurity into existing STEM curricula – from as early as K-12

21

Can STEM Help?

June 2014

“78% of college students decided to study Science,

Technology, Engineering, and Math (STEM) in high school or

earlier.”

22

Does STEM Address Cybersecurity?

“82% of millennials said, “no high school teacher or

guidance counselor ever mentioned to them the idea of a

career in cybersecurity.”

October 2013

23

If They Don’t Know, They Don’t Know!

“Only 24% of millennials are interested in cybersecurity

careers.”

October 2013

24

With All These Training Resources and Initiatives…96% of nearly 80,000 security incidents in 2014 traced to 9 basic attack patterns

Phishing continues to be a major problem; accounted for 20% of recorded incidents

• 10 emails = > 90% chance at least one victimIn 2014, 97% of exploits were from list of 10 published vuls55% of insider incidents involved privilege abuse

These Are Security Fundamentals !

Verizon’s 2015 Data Breach Investigations Report

25

What May Be Hurting Effectiveness?

Many attend training to “check a box”• Required by employer• Needed to acquire continuing education credit• Boot camp to pass an exam

What is learned in course may not translate to workplace

Ability to effectively evaluate comprehension

Awareness refreshers and reinforcement may be lacking

Lack of high fidelity in training courses

26

The SEI is trying to Help

Real-world network modeling and user simulation• “Train as you fight”• XNET, STEPfwd, PCTC

Innovative training• Emerging content and instruction methods• Performance based assessments• Gamification of systems• Creative content (e.g. The escape room)

Additional research efforts• Automated Cyber-readiness Evaluator (ACE)• Cyber-kinetic simulator• Using video games to prepare the next generation cyber warrior

(http://delivery.acm.org/10.1145/2760000/2751958/p23-herr.pdf)

27

Notices

© 2015 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at permission@sei.cmu.edu.

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.