Improving Cybersecurity Awareness, Training, Education, and Workforce Development

People are often the most underappreciated ingredient in the people, process, and technology formula that determines an organization’s readiness to understand and deal with cybersecurity challenges. This includes gaps in users’ and providers’ awareness about how to access cybersecurity guidelines and tools that apply to their own operations and environments along with a shortage of people who have the needed cybersecurity education, training, and experience. For over 40 years, NIST has endeavored to provide resources to federal agencies and other organizations, as well as to facilitate the exchange of cybersecurity knowledge.

Building Education and Training Programs

As federal IT systems and policies become more complex, information security professionals have recognized the need for federal agencies to strengthen their employee cybersecurity awareness and training programs. For more than 30 years, NIST has released guidance explaining how to build such programs at a high, strategic level as well as how to approach the development of the training material itself.

Federal Information Systems Security Educators' Association (FISSEA)

Founded in 1987 as the Federal Information Systems Security Educators’ Association (FISSEA), this community of practice, hosted and supported by NIST, is open to cybersecurity practitioners, awareness and training providers, educators, managers, and private sector organizations who support awareness and training programs in federal environments. The Annual FISSEA Conference has been held since 1988 alongside periodic workshops and quarterly forums.

FISSEA provides a professional forum for the exchange of information and improvement of information systems security awareness and training programs throughout the federal government. The annual Contest and Innovator of the Year awards highlight and recognize inventive efforts that can be shared and duplicated in Departments and Agencies. The emergence of the Computer Security Act of 1987 that placed new awareness and training requirements on federal agencies led to establishment of this community of practice.

National Initiative for Cybersecurity Education (NICE)

In 2008, NIST assumed the overall coordination role for the National Initiative for Cybersecurity Education (NICE), which represents the evolution of the Comprehensive National Cybersecurity Initiative (CNCI) work on cybersecurity education. The scope of CNCI was expanded from federal to a larger national focus. The CNCI expansion and NIST's new role as lead for NICE was reinforced by the 2009 Cyberspace Policy Review report. The goal of NICE is to enhance the overall cybersecurity posture of the United States by accelerating the availability and strength of the workforce for cybersecurity. In addition to boosting awareness of careers in cybersecurity, NICE aims to promote educational and training resources designed to improve the cybersecurity behavior, skills, and knowledge of every segment of the population, and explore ways to recruit and retain talent in the cybersecurity workforce. This has involved planning, coordination, communication, and outreach functions, including annual conferences.

NIST also formalized the NICE Framework as a NIST Special Publication in 2017, indicating the importance of maintaining the framework as a resource for the public and private sector to use. The NICE Framework (Workforce Framework for Cybersecurity) provides—guidance that establishes a taxonomy and common lexicon to describe all cybersecurity work and workers. The NICE Framework became required for Federal government use in 2015 with the Federal Cybersecurity Workforce Assessment Act, and required for government contractor use in 2019 with Executive Order 13870, America’s Cybersecurity Workforce.

Exchanging Cybersecurity Knowledge

National Computer Security Conferences Over the Years

In 1979, the National Bureau of Standards (NBS, later renamed NIST) began hosting an annual technical seminar on trusted automatic data processing (ADP) systems within the Department of Defense (DoD) called the Seminar on the DoD Computer Security Initiative Program. The intent was for research in trusted systems to lead to improvements in commercially available security technology.

In 1984, the seminar name was changed to the DoD/NBS Computer Security Conference to indicate its widening scope and participation. The following year, it was renamed the National Computer Security Conference (NCSC). In partnership with the new Computer Security Organization at the National Security Agency (NSA), NBS moved the conference to larger venues in Baltimore, Maryland, and Washington, D.C., and expanded the scope of the conference to include all aspects of secure computing systems.

In 1995, the conference was renamed once again to reflect the changing state of technology: the National Information Systems Security Conference (NISSC). The NISSC was last held in 2000. These conferences were the preeminent security summits of their time, and in earlier years, they were the one annual event at which people from the entire security community could come together.

In 2010, when NIST assumed coordination for NICE, NIST began coordinating annual conferences to bring together community members and thought leaders from education, government, industry, and non-profits to explore ways of developing a skilled cybersecurity workforce ready to meet the challenges of the future. Five years later, in addition to the annual conference, NICE also introduced a conference focused on K12 educators and those interested in cybersecurity education for K12.

Federal Computer Security Program Managers' Forum

NBS started the Federal Computer Security Program Managers’ Forum in the late 1980s to give federal agency cybersecurity program managers the opportunity to exchange information and share ideas, best practices, and materials with each other in a closed, informal environment. The Forum maintains an email listserv for members, and holds quarterly meetings to discuss current issues impacting federal cybersecurity and privacy programs. The listserv and meetings help reduce the duplication of effort across agencies and build a community and network of federal cybersecurity and privacy professionals.

NIST serves as the Chair and secretariat of the Forum. The Forum provides an organizational mechanism for NIST to exchange information directly with the program managers in fulfillment of its leadership mandate under FISMA. In 2021, as part of an ongoing effort to better coordinate between cybersecurity and privacy programs, the group's name changed to Federal Cybersecurity and Privacy Professionals Forum, and a second co-chair was added to represent the NIST Privacy Engineering Program.

NIST Computer Security Bulletin Board System (BBS)

By 1986, NIST had launched a dial-up bulletin board system (BBS) for computer security information. Many documents related to computer security were made available for download to the public through the BBS, and the BBS provided a way for people to exchange information about security incidents. The BBS also offered a moderated question and answer feature where the public would post questions that were answered by members of the NIST staff. When the NIST BBS started, there were only a few computer security BBSs in the U.S., including one at CERT (Carnegie Mellon University) and two hosted by federal agencies.

As the World Wide Web grew, the BBS evolved into NIST’s Computer Security Resource Center (CSRC), which in 1995 became the primary website for accessing NIST cybersecurity standards, guidelines, project information, and related resources. By 2020, CSRC had become one of NIST’s most-visited websites, hosting more than 3 million sessions and 8 million page views by over 2 million users.

Small Business Outreach

Common security vulnerabilities threaten not only individual businesses but the nation’s economic base. Many small businesses can’t justify the expense of an extensive security program or a full-time security expert, and they need practical training to identify and utilize cost-effective security mechanisms.

To address this need, NIST partnered with the Small Business Administration (SBA) and the Federal Bureau of Investigation (FBI) to host a series of regional workshops on IT security for small businesses. From 2002 through 2014, NIST co-led more than 125 workshops in 102 cities spanning 34 states and territories. Each workshop provided an overview of information security threats, vulnerabilities, and corresponding protective tools and techniques, with a special emphasis on directly applicable information for IT personnel. As an additional outreach tool, NIST offered recordings of some of the workshops and offered cybersecurity training webinars for small businesses.

NIST then collected the core information from the workshops and published it in 2009 as NIST Interagency or Internal Report (NISTIR) 7621, Small Business Information Security: The Fundamentals. The document provided common-sense, easy-to-read advice that small business owners could use to protect their information, computers, and networks. A revision in 2016 reflected changes in technology and security.

In fulfillment of the NIST Small Business Cybersecurity Act (2018) and to complement the workshops and guides, NIST updated the Small Business Cybersecurity Corner. The site lists free, publicly available, accurate, and comprehensive resources for helping small businesses identify and reduce risk.