State of Cyber Workforce Development · Enterprise-wide solution to train, qualify, and manage DoD...
Transcript of State of Cyber Workforce Development · Enterprise-wide solution to train, qualify, and manage DoD...
© 2015 Carnegie Mellon University
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
State of Cyber Workforce DevelopmentMarie Baker26 June 2015
2
Overview
US Cyber Preparedness
Training Initiatives
Training and Awareness Resources
The Way Ahead for Training
3
Current State of Affairs
High Dependence on Cyberspace = Highly Vulnerable to Devastation in event of attack
Equipment evolving, software more complex, threats getting smarter
Confidence in US cyber preparedness weak• Lack of skilled professionals
2014
2013
2014
2014
4
One Standard
Keith AlexanderRetired four-star Army General
Former NSA Director
“Whether we do our cyber-training at one school or at multiple schools, the training
will have to be executed to one standard. I think that’s what we need to do so that the
combatant commanders and the forces in the field know that whether they get a
soldier, marine, airman or sailor, that person is trained to a standard and can
accomplish the mission that is expected of them”
5
Training Initiatives
DoD 8570.01DoD 8140USCYBERCOM Joint Cyberspace Training & Certification Standards (JCT&CS)National Initiative for Cybersecurity Education (NICE)
DISA Operationally Focused CYBER Training FrameworkCERT Approach to Cybersecurity Workforce Development
6
DoD 8570
Information Assurance Training, Certification, and Workforce Management
Enterprise-wide solution to train, qualify, and manage DoD IA workforce
Right people with the right skills in the right position
All IA positions categorized as IAT, IAM, IASAE, or CNDSP• Assigned level or specialty
• Trained at baseline requirement, obtain certification
All personnel performing IA functions must obtain certification and/or certificate of training within 6 months of being hired
7
DoD Approved 8570 Baseline CertificationsIAT Level I IAT Level II IAT Level III
A+Network+CESSCPCCNA – Security
GSECSecurity+CESSCPCCNA-Security
CISA GCIHCISSP CASP GCED
IAM Level I IAM Level II IAM Level III
CAPGSLCSecurity+CE
CAP CASPGSLCCISM CISSP
GSLCCISMCISSP
IASAE I IASAE II IASAE IIICISSPCASPCSSLP
CISSPCASPCSSLP
CISSP–ISSEPCISSP–ISSAP
CNDSPAnalyst
CNDSP InfraSupport
CNDSP IncidentResponder
CNDSP Auditor CNDSP Manager
GCIACEHGCIH
SSCPCEH
GCIHCEHGCFA
CISAGSNACEH
CISSP–ISSMPCISM
8
DoD 8140
Cyberspace Workforce Management Policy Update
Expected to replace 8570, conflicting release dates
Comprehensive view of cybersecurity workforce including:• Architects, Software Engineers Law enforcement, Intelligence
Levels I, II, III to be qualification levels:• Apprentice, Journeyman, Master
Integrating NICE job skills and USCYBERCOM mission area requirements
Compliance included in DoD inspection programs
10
USCYBERCOM Joint Cyberspace Training & Certification Standards (JCT&CS)
Common, arduous standards for individuals and collectives
Patterned after JTS 4 phases and linked to mission
• Requirements, Planning, Execution, Assessment
Prioritized list of essential tasks, their conditions, andmeasurable standards to accomplish a mission (JMETL)
Training plans based on JMETL and baseline standards
11
National Initiative for Cybersecurity Education (NICE)Established in response to the Comprehensive National Cybersecurity Initiative (CNCI)
Initiative to enhance the cybersecurity posture of the US through the availability of cybersecurity training resources
Awareness, Education, and Workforce components
Cybersecurity Workforce Framework designed to provide a common taxonomy to categorize workers
12
National Cybersecurity Workforce Framework
Initially published 2011, addresses need for• Standard terminology• Cyber workforce position descriptions• Required knowledge, skills, abilities
7 categories• Overarching framework structure• Groups related specialty areas
31 specialty areas• Contains common tasks and KSAs
http://csrc.nist.gov/bice/framework/
13
DISA Operationally Focused CYBER Training Framework
Robust training and certification program designed around “one standard”
Role-based and crew certification that are mission-specific• Crew certification is composition of role-based operators
Uses JCT&CS and NICE for work-role definitions, associated tasks and KSAs to create roles-tools training matrix
• Roles-to-Tools• Tools-to-Tools• Roles-to-Roles interactions
14
CERT Approach to Cybersecurity Workforce Development
Continuous phases
15
Cyber Training and Workforce Development Resources
16
National Initiative for Cybersecurity Careers and Studies (NICCS)DHS cybersecurity workforce portal
Vast resource for exploring cybersecurity• Career paths• Degree programs• Training and education sources• Expansion of the NICE Framework and resources to support its
use by public and private sector
17
Federal Virtual Training Environment (FedVTE)LMS managed through DHS
Aims to help workforce maintain expertise and foster operational readiness
Classroom delivery converted to online format
• Lectures• Video demonstrations• Quizzes
Freely available to federal workforce 24/7, saving millions in travel and training costs
https://fedvte.usalearning.gov
18
National Centers of Academic Excellence
Jointly sponsored by DHS and NSA
Higher educational institutions recognized as field leaders
181 centers in 43 states
19
CyberCorps Scholarship for Service
Established to help increase the number of qualified students entering the field of cybersecurity
Full scholarships for college students
Grant recipient commits to employment with federal government
$45M budget, 150-160 graduates per year
20
STEM Initiatives
Science, Technology, Engineering, and Math fields of study.
Began to address lack of skilled candidates for high-tech jobs
Typically taught in isolation instead of within curriculum
Efforts underway to integrate cybersecurity into existing STEM curricula – from as early as K-12
21
Can STEM Help?
June 2014
“78% of college students decided to study Science,
Technology, Engineering, and Math (STEM) in high school or
earlier.”
22
Does STEM Address Cybersecurity?
“82% of millennials said, “no high school teacher or
guidance counselor ever mentioned to them the idea of a
career in cybersecurity.”
October 2013
23
If They Don’t Know, They Don’t Know!
“Only 24% of millennials are interested in cybersecurity
careers.”
October 2013
24
With All These Training Resources and Initiatives…96% of nearly 80,000 security incidents in 2014 traced to 9 basic attack patterns
Phishing continues to be a major problem; accounted for 20% of recorded incidents
• 10 emails = > 90% chance at least one victimIn 2014, 97% of exploits were from list of 10 published vuls55% of insider incidents involved privilege abuse
These Are Security Fundamentals !
Verizon’s 2015 Data Breach Investigations Report
25
What May Be Hurting Effectiveness?
Many attend training to “check a box”• Required by employer• Needed to acquire continuing education credit• Boot camp to pass an exam
What is learned in course may not translate to workplace
Ability to effectively evaluate comprehension
Awareness refreshers and reinforcement may be lacking
Lack of high fidelity in training courses
26
The SEI is trying to Help
Real-world network modeling and user simulation• “Train as you fight”• XNET, STEPfwd, PCTC
Innovative training• Emerging content and instruction methods• Performance based assessments• Gamification of systems• Creative content (e.g. The escape room)
Additional research efforts• Automated Cyber-readiness Evaluator (ACE)• Cyber-kinetic simulator• Using video games to prepare the next generation cyber warrior
(http://delivery.acm.org/10.1145/2760000/2751958/p23-herr.pdf)
27
Notices
© 2015 Carnegie Mellon University
This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.
Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].
This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.
THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT ® is a registered mark owned by Carnegie Mellon University.