Remember Clinger-Cohen and the original Federal Information Security Management Act (FISMA), when it was called the Information Technology, Information Management, Information Resources Management and Information Assurance (IT/IM/IRM/IA) Workforce? That was 10 years ago. Since then, the world has moved on to cyber and cybersecurity, with a lot of workforce definitions and titles coming and going — and staying.
If you google "cybersecurity workforce" you get thousands of answers. Then try "cyber" and you get thousands more, many using "cyber" as part of "cybersecurity." Finally, if you try "cyberspace," your top three returns are all Department of Defense (DoD)-related, but there's still all that "cybersecurity" stuff mixed in. So, who are we?
Daily, we see articles about the cyber workforce in the news, though sometimes the workforce is referred to as cyber and sometimes as cybersecurity. At the international and national level, the terms are sometimes interchanged and "cybersecurity" is used specifically to identify those jobs and tasks with a focus on network and system security.
Time for some background. First, "cyber" is an adjective; the dictionary defines the word as: "A combining form meaning computer, computer network, or virtual reality used in the formation of compound words (cybertalk; cyberart; cyberspace)." By that definition, cybersecurity is not all encompassing; it’s a category of cyberspace focusing on security.
National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23), states that cyberspace is: “The interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. Common usage of the term also refers to the virtual environment of information and interactions between people."
The Defense Department has also developed a definition for cyberspace, from the DoD Dictionary of Military and Associated Terms (JP 1-02): "A global domain within the information environment consisting of the interdependent network of information technology infrastructures, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers."
That’s good news. The two definitions of cyberspace are closely aligned, and even more important, the term exists at the national and DoD levels.
The first time the Defense Department saw a focus on the workforce was in the National Defense Authorization Act (NDAA) of 2010 Section 934, which required the services to conduct an analysis of their "Cyber Operations Personnel." They are defined as: “Cyber operations personnel refers to members of the Armed Forces and civilian employees of the DoD involved with the operations and maintenance of a computer network connected to the global information grid, as well as offensive, defensive, and exploitation functions of such a network."
We've done countless studies and reports since then for Congress, the Office of the Secretary of the Defense (OSD), and the Department of the Navy (DON). DoD even has a Principal Cyber Advisor (PCA) now. After the National Initiative for Cybersecurity Education (NICE), an executive branch level effort, completed the first NICE Cybersecurity Workforce Framework under the Comprehensive National Cybersecurity Initiative (CNCI), the term "cybersecurity workforce" took on the broader meaning of "cyberspace workforce" for the NICE framework.
Easy translation: Whenever you see "cybersecurity workforce" in its current use in the NICE framework and/or Office of Personal Management efforts, think "cyberspace workforce" as defined by the DoD. More on the DoD definition in a moment.
The NICE framework includes the following categories: Securely Provision, Operate and Maintain, Protect and Defend, Oversight and Development, Collect and Operate, Analyze, and Investigate. For more details, the NICE Framework can be found at: https://niccs.us-cert.gov/training/tc/framework.
Regarding the DoD definition: With the publication of DoD Directive 8140.01, “Cyberspace Workforce Management” and Secretary of the Navy (SECNAV) Instruction 5239.20A, “Department of the Navy Cyberspace Information Technology and Cybersecurity Workforce (DON Cyber IT/CSWF) Management and Qualification” we now have new definitions of a DoD Cyberspace Workforce. The definitions below, from the DoDD 8140.01, were decided upon after several years of discussion and agreement from over 30 DoD components, including all three military departments:
- Cyberspace workforce: Personnel who build, secure, operate, defend, and protect DoD and U.S. cyberspace resources; conduct related intelligence activities; enable future operations; and project power in or through cyberspace. It is comprised of personnel assigned to the areas of cyberspace effects, cybersecurity, cyberspace IT, and portions of the Intelligence workforces.
- Cyberspace IT workforce: Personnel who design, build, configure, operate, and maintain IT, networks, and capabilities. This includes actions to prioritize portfolio investments; architect, engineer, acquire, implement, evaluate, and dispose of IT as well as information resource management; and the management, storage, transmission, and display of data and information.
- Cybersecurity workforce: Personnel who secure, defend, and preserve data, networks, net-centric capabilities, and other designated systems by ensuring appropriate security controls and measures are in place, and taking internal defense actions. This includes access to system controls, monitoring, administration, and integration of cybersecurity into all aspects of engineering and acquisition of cyberspace capabilities.
- Cyberspace effects workforce: Personnel who plan, support, and execute cyberspace capabilities where the primary purpose is to externally defend or conduct force projection in or through cyberspace.
- Intelligence workforce (cyberspace): Personnel who collect, process, analyze, and disseminate information from all sources of intelligence on foreign actors’ cyber programs, intentions, capabilities, research and development, and operational activities.
Not really exciting reading, but the definitions have been agreed upon. So we can see that above all else we are a cyberspace workforce, regardless of the category of cyberspace workforce we fall in at any given time because of our job. And we know we can move between one category and another based on work and job changes, but we are still defined as a cyberspace workforce.
There's something else though; cyberspace is the domain, as discussed above — there's agreement on that at all levels private and public. But, cyber is still an adjective, so just like you have cyberspace and cybersecurity, you can also have a cyber IT workforce and a cyber-effects workforce. In fact, several new publications are using the phrase "cyberspace, hereafter referred to as cyber" for their purposes. It's catching on in a wider sense also.
So, what's it all mean — who are we really?
Well, take a look at the definitions again: We are the cyberspace workforce — sometimes called the cyber workforce. Also, we're part of a category of the cyber workforce — it could be cyber IT, cybersecurity, cyber-effects or even intelligence workforce (cyberspace). The workforce is no longer defined as IM/IT/IRM/IA; it’s defined as the cyber workforce now.
You can call us the cyber IT workforce, cybersecurity, or cyber-effects — but we're all part of the CYBER WORKFORCE — that's who we are.
Chris Kelsall is the DON CIO Cyber Workforce lead.
See also CHIPS articles: "The New DON Cyberspace (Cyber) IT and Cybersecurity Workforce Management and Qualification Program" and “DON Cyberspace (Cyber) IT and Cybersecurity Workforce Credentialing”