The Department of Veterans Affairs is developing a cybersecurity career program to fill gaps in the NICE Cybersecurity Workforce Framework.
VA’s Office of Information Security stood up a Cyber Workforce Management (CWM) program across the broader Office of Information and Technology (OIT), which determined existing NICE Framework roles didn’t meet all of VA’s mission needs. The framework, developed by the National Initiative for Cybersecurity Education, prescribes knowledge, skills, abilities and tasks (KSATs) to work roles like a cyber defense analyst.
“There are gaps in the framework. Medical is not in there, med cyber — jack of all trades, master of medical devices,” Stephanie Keith, CWM program manager, said during a panel discussion at the 2020 Health IT Summit. “But where are the cybersecurity aspects of that? At VA we’re looking at how we develop what that work role looks like.”
The CWM program plans to identify work roles across every single position within VA and its IT office and establish qualification requirements for each role that all of government can use, she added.
“I’m not about unique requirements for an agency,” Keith said. “I’m about federal national standards.”
CWM is also standing up a cyber training academy pilot to teach employees baseline skills associated with the work roles. Baseline skills for, say, a cyber defense analyst should be the same at every agency so they’re portable, Keith said.
Training for new work roles covering positions like healthcare technology managers and informaticists should happen at the device level, not the network level, she added.
VA employees further removed from technical positions still require cyber training as well in areas like early detection and zero trust, said Paul Cunningham, chief information security officer at VA.
“We’re never going to get medical teams to be primarily cybersecurity. It’s not their mission; we shouldn’t expect it,” Cunningham said. “But we should make it very easy for them to help us as first-line defenders recognize when things are not operating correctly.”