cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Kaity
Community Manager

NEWS: Executive Order on America’s Cybersecurity Workforce

POTUS has just issued an Executive Order calling for increased oversight and development of cybersecurity workforce growth processes. You can read the White House press release here: 

 

https://www.whitehouse.gov/presidential-actions/executive-order-americas-cybersecurity-workforce/

 

As cybersecurity professionals, what do you think about this EO? 

7 Replies
CraginS
Defender I


@Kaity wrote:

POTUS has just issued an Executive Order calling for increased oversight and development of cybersecurity workforce growth processes. You can read the White House press release here: 

 

https://www.whitehouse.gov/presidential-actions/executive-order-americas-cybersecurity-workforce/

 

As cybersecurity professionals, what do you think about this EO? 


Given the international nature of this community, here are a few points to help understand the context of the order.

 

1. POTUS is governmental jargon acronym for President of the United States. The general news media began using it (way too much) some years back when they discovered it in various White House and Secret service documents. We now see a jumble of xxxOTUS acronyms in the news (e.g FLOTUS, VPOTUS, SCOTUS, etc.)

 

2. Executive Orders signed by the President have no force of law. They are all directives that apply only to the departments and agencies under the Executive Branch of the U.S. Federal Government. Each EO is normally based either on direct Presidential authority found in the U.S. Constitution or in Public  Law that gives the President some explicit responsibility and authority, as found in the U.S. Code. They do not apply to the U.S. Courts; to the U.S. Congress and its supporting agencies such as the Congressional Budget Office, or the Library of Congress; to any State, Tribal, or local governments; or to any private or commercial entity, including individual citizens, residents, companies, corporations, or not-for-profit entities.

 

3. In general, every Executive Order direct specific departments and agencies, or sometimes all of them, to carry out specific tasks. In this case, the new EO gives explicit direction to several cabinet Secretaries and their departments: Homeland Security, Commerce, Defense, Energy, Transportation, plus the Office of Management & Budget (OMB) and Personnel Management (OPM).

 

4. Note that this EO, like many others, will cause the affected departments and agencies to develop directives, policies, and procedures that will directly affect U.S. government employees and companies contracted to those agencies. 

 

I think the most important part of this EO is that it will lead to procedures and partnerships allowing cybersecurity specialists to move back and forth between government jobs and private sector positions without losing momentum in their careers. That could be a very positive result.

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
rslade
Influencer II

> KaityEagle ((ISC)² Team) posted a new topic in Industry News on 05-02-2019

 

>   As cybersecurity professionals, what do you think about
> this EO?

 

In our family we have a saying that covers this type of thing. There was a member of our extended family, not well versed in English, who, when presented with some difficult problem, would shrug and say, "Somebody have to do something."

 

Within 90 days of this order, somebody have to design a program. For training, recruitment (by force, if necessary, from the sounds of it) and the "non-reimbursable" grabbing of infosec mavens to work at DHS (and, from thence, being sold--sorry, "detailed"--to work at other agencies). (I thought you guys had fought a war over slavery, and decided it was a bad thing? Maybe I got that wrong ...)

 

Isn't that NICE.

 

Oh, and there's badges!

 

And then, "The Secretary of Homeland Security, in consultation with the Secretary of Defense, the Director of the Office of Science and Technology Policy, the Director of OMB, and the heads of other appropriate agencies, shall develop a plan for an annual cybersecurity competition (President’s Cup Cybersecurity Competition) for Federal civilian and military employees." I can't even begin to comment on that.

 

Best guess: absolutely nothing will change.

 

 

(Sorry, but to get all the snarks in this posting, you'll probably have to actually read the EO ...)


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
rslade
Influencer II

> CraginS (Advocate I) posted a new reply in Industry News on 05-02-2019 03:57 PM

 

>   I think the most important part of this EO is that it will lead to procedures
> and partnerships allowing cybersecurity specialists to move back and forth
> between government jobs and private sector positions without losing momentum in
> their careers. That could be a very positive result.

 

If it worked, yes. But I rather doubt they'll come up with a workable plan ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Radioteacher
Community Champion

There are a few things in the Executive Order worth pointing out.

 

Section 2 a (iii) NIST came out with the "National Initiative for Cybersecurity Education Cybersecurity Workforce Framework" (NICE Framework) in August of 2017. 

 

I find it to be an excellent starting point for fitting people with occupations.   It is all about Tasks, Knowledge, Skills, and Abilities.  

 

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-181.pdf 

 

Section 2 b (i-ii) Basically use the NICE Framework

 

I have been a fan of the NICE Framework since it came out and use it to help identify my own skills gap. 

 

How can you close your skills gap unless you seek it out?

 

Paul 

 

 

rslade
Influencer II

> Radioteacher (Community Champion) posted a new reply in Industry News

 

>   Section 2 a
> (iii) NIST came out with the "National Initiative for Cybersecurity Education
> Cybersecurity Workforce Framework" (NICE Framework) in August of 2017.  I find
> it to be an excellent starting point for fitting people with occupations.   It
> is all about Tasks, Knowledge, Skills, and Abilities.

 

Yes, it's a NICE framework. It's a very NICE framework. It's the same as ours.

 

It's a task analysis. A very big task analysis, I grant you. But our CBK (and pretty much every other CBK worthy of the designation) starts with a task analysis. You can use NICE, or you can use ours, and basically get the same result.

 

It's very NICE of NIST to have done it for us, and, since it's free, I recommend everyone download it (you might have some trouble at the moment: due to the EO the NIST Website seems to be having a little trouble feeding everyone who wants a copy) and read it. Good study guide. Good career guide. Good answer for all those who are posting "where do I go next on my career path" type questions/postings here ...


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CraginS
Defender I


@rslade wrote:

...

Yes, it's a NICE framework. It's a very NICE framework. It's the same as ours.

 

It's a task analysis. A very big task analysis, I grant you. But our CBK (and pretty much every other CBK worthy of the designation) starts with a task analysis. You can use NICE, or you can use ours, and basically get the same result.

 

It's very NICE of NIST to have done it for us, and, since it's free, 


A bit of History:

With inception of the CISSP in the 1990's, the Consortium developed the Common Body of Knowledge (CBK).

 

In 2008 the U.S. Department of Homeland Security (DHS) convened a working group to develop a framework for government information security workforce development. They built something based on the (ISC)2 CBK, but without direct citation, and called it the Essential Body of Knowledge (EBK).

For a few years  the EBK was on the DHS.gov web site.

Also, one of the working group member who was also a university professor wrote a textbook based on the EBK. We used it in my second doctoral program course on Frameworks in late 2012.

 

Eventually the EBK was transferred from DHS to NIST, and then it was superseded by the NICE initiative at NIST.

 

These days it is nearly impossible to find mention of the EBK online.

Here, however, is one, a paper by the author the textbook we used:

An Introduction to the DHS EBK: Competency and Functional Framework for IT Security Workforce Develo...
by Wm. Arthur Conklin

 

But, this is how and why the NICE framework tracks back to the CBK.

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
CraginS
Defender I

Essential Body of Knowledge (EBK) - DHS 2008

High view outline:

 

Steps in the INFOSEC process:

Manage - Design - Implement - Evaluate

(reminds you of a Shewhart Cycle / Deming Cycle / OODA Loop, doesn't it?)

 

Common practice areas

  1. Data security
  2. Digital forensics
  3. Enterprise continuity
  4. Incident management
  5. IT security training and awareness
  6. IT system operation and maintenance
  7. Network security and telecommunications
  8. Personnel security
  9. Physical and environmental security
  10. Procurement
  11. Regulatory and standards compliance
  12. Risk management
  13. Strategic security management
  14. System and application security

Standard roles

  1. Chief information officer
  2. Information security officer
  3. IT security compliance officer
  4. Digital forensics professional
  5. IT security engineer
  6. IT systems operations and maintenance professional
  7. IT security professional
  8. Physical security professional
  9. Privacy professional
  10. Procurement professional

====

Note how close the EBK Common Practice Areas are to teh CBK Domains, especially the original 10 Domains.

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts