NICE Cybersecurity Framework vs 8140: What’s the Difference?

The DoD is a massive organization with its own cybersecurity framework called the DoD Directive 8140. The 100-page 8140 manual covers job roles, responsibilities, training, and career progression for basically every technical professional. And there are quite a few. DoDD 8140 has considerable weight in how federal agencies organize their technical workforce, and even influences state and local governments and even private companies.

The influence of DoD 8140 is considerable, but it isn't the only framework — or even the most influential. In fact, the NICE Framework informs the DoD strategy as well as the rest of government and beyond in all things cybersecurity.

The NICE framework and 8140 share some similarities, but there are significant differences as well.

What is the NICE framework?

The NICE Cybersecurity Workforce Framework, more commonly known as the NICE Framework, was a collaborative effort between the Department of Homeland Security (DHS), the Office of the Secretary of Defense (OSD), and the National Initiative for Cybersecurity Education (NICE). The source document for the NICE Framework is NIST Special Publication 800-181 and is published by the National Institute of Standards and Technology (NIST).

The NICE framework was developed to create a consistent, systematic way to organize federal cybersecurity efforts. Ultimately, the NICE framework serves as a baseline for all federal cybersecurity roles, processes, and effort — albeit a non-binding baseline. Federal agencies can and do adopt their own cybersecurity requirements, but many use the NICE framework as a starting point.

DoD serves up a perfect example of a federal agency modifying the NICE Framework for their own purposes. Remember that 8140 outlines the job roles, duties, and training for the DoD technical workforce. DoDD 8140-M is the official manual (or will be when it's released) for how cyber work happens in the Department of Defense. In turn, the DoD Cyber Workforce Framework (DCWF) is the blueprint for the DoD technical workforce, which is defined by 8140 — and also NICE.

It's a little convoluted, but basically the DCWF is derived from 8140 — and both were informed by the NICE framework.

Why Have All These Frameworks?

These job role frameworks are necessary for both workforce management and security of organizations as large as the DoD and other federal agencies.

On paper, the NICE framework neatly defines technical roles with a specific set of tasks. However, in real life, jobs crossover with other jobs. For example, a systems administrator and network administrator often have similar day-to-day duties, which is fine for smaller companies. But in large organizations network and systems administrators necessarily have unique, specialized job roles.

Inconsistencies in job roles at the unit level were not only frustrating, but also lead to security vulnerabilities. For example, if someone's job is misclassified, then they weren't receiving the correct training. The NICE Framework is molded into the DCWF and mandated by 8140 to avoid this issue, standardizing roles and creating a cohesive cybersecurity overlay for the entire DoD.

To fully examine the difference between DoDD 8140 and NICE, we'll need to dig into the knowledge, skills, and abilities outlined in the DCWF and the NICE Framework.

DoD 8140 (DCWF) vs NICE: The Seven Workforce Categories

Since DCWF acts as the DoD implementation of the NICE Framework, that's a better comparison than comparing 8140 and NICE directly. As a result of their providence, there are numerous similarities between DCWF and NICE by design. For instance, both DCWF and NICE have seven overarching workforce categories:

• Analyze

• Collect & Operate

• Investigate

• Operate & Maintain

• Oversee & Govern

• Protect & Defend

• Securely Provision

The seven workforce categories are then broken down into specialty areas, which is primarily where the differences between the frameworks can be found — in the application of specialties.

We're going to explore the difference between NICE and DCWF through the lens of these seven workforce categories.

Analyze: How 8140 Analyzes Data Differently

The first workforce category identified in the NICE Framework is "Analyze." Any job that involves a "highly-specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence" falls under this purview.

Data can be drawn from virtually any source, agency, or discipline within the intelligence community, and an emphasis on synthesizing information from multiple sources and providing global context is critical. The overall goal is to draw insights from these coalesced observations about what implications they could have.

Three of the skill sets identified by NIST include exploiting language, cultural, and technical expertise to drive information collection and analysis. Two primary “opponents” are specified: cybersecurity criminals and foreign intelligence entities. The activities of these groups are monitored to help law enforcement and US counterintelligence activities.

The DCWF also emphasizes "Analyze" as an overarching workforce category, although the balance between emphasizing counter-criminal and counterintelligence shifts more heavily toward the latter than it does in the NICE Framework. Individuals in this category are defined in 8140 as belonging to the "intelligence workforce (cyberspace)."

How 8140 is Different

DoD guidelines have two interesting departures from the NICE Framework in the Analyze category. The first is a heightened emphasis on data dissemination; while NIST focuses on information collection and analysis, 8140 explicitly identifies active distribution as a source role. The second is targeting state actors, outlining "foreign actors' cyber programs, intentions, capabilities, research and development, and operational activities." The phrasing seen here indicates a decreased emphasis on counter-criminal activity and a higher weight given to a national defense-oriented posture.

Collect & Operate: 8140 Deals with Counter-Intel

The next workforce category is "Collect & Operate," which is integrally connected to “Analyze,” but is more concerned with gathering raw information than what is done with it afterward. This is not just a passive role; both frameworks explicitly identify providing “specialized denial and deception operations” to collect information, indicating that this includes an active approach toward intel gathering.

There's a continued emphasis, both implied and explicit, on a strategic, well-planned, collaborative approach that integrates with other intelligence functions. This begins with the collection management process, headed by an "All Source Collection Manager," who has a primary role of establishing strategies and priorities for intel gathering.

How NIST and 8140 are the Same

Although there is a continued focus on counter-intel over counter-criminal activities in DoD guidance, the DCWF and NICE Framework are otherwise nearly identical in this category. It's important to remember that although the frameworks mirror each other, this category is highly focused on the assets available to the organization. While the NICE Framework is the foundation for such dissimilar organizations as the CIA, NSA, and DoD, the assets each agency or department uses are unique, which means the individual jobs in this category will be different in each organization.

Investigate: Different Agencies, Different Goals

The third category is "Investigate," which digs into "cybersecurity events or crimes related to information technology (IT) systems, networks, and digital evidence." This includes the "full range of investigative tools and processes," both technical and personal. While the former is to be expected, it's interesting to note that this category also explicitly identifies interview and interrogation techniques.

One critical component of both the DCWF and NICE Frameworks is striking a balance between the benefits of prosecution and intelligence gathering. When criminal or enemy activity is observed, authorities have two primary avenues of reaction. The first is ending it, and in the case of criminal action, engaging in prosecution. While there is undoubtedly a place for this, it also shows our hand: what we can detect, what our capabilities are, and reveals what we might have missed. Sometimes it's better to sit back and observe what's going on to gather more information about the adversary's intentions and capabilities.

The Varied Focuses of NICE and 8140

The goal of investigation will vary substantially between federal agencies and departments. While the FBI would use the NICE Framework to emphasize building a case to put criminals behind bars, the DoD uses the DCWF to develop detailed target packages which can either be attacked or thwarted in the future. With few exceptions, building an evidence-based legal case against opponents is not a concern for the DoD, meaning that the way investigations roles play out, what they're looking for, and the tools they use will be different than other federal departments or agencies.

Operate & Maintain: The Core of IT

Fourth is the workforce category titled "Operate & Maintain." Of all the categories, this one most clearly revolves around IT core roles. Six specialty areas are identically defined in both frameworks, including

• Customer Service and Technical Support

• Data Administration

• Knowledge Management

• Network Services

• Systems Administration

• Systems Analysis

Because, at their core, all networks operate according to the same basic principles, it's no surprise that there's virtually no difference between the 8140-approved DCWF and the NICE Framework here.

The DoD's Unique Considerations

One of the driving forces behind developing the original 8570 guidance is the DoD's unique requirements in applying these roles in a deployed environment. While all federal agencies have assets in the field, the DoD is—without doubt—the only department that deploys assets at the size and scale to which we've become accustomed. Commanders couldn't afford to have personnel in the IT roles described above head to Afghanistan or Iraq and be unqualified to perform their jobs. This need drove the introduction of 8570 and subsequent evolution to 8140.

An additional consideration is that the DoD's personnel are divided into four unique Components (Army, Navy, Air Force, and Marines). Each of these services has distinctive equipment, roles, and objectives, but their core IT roles must be trained to the same standard. While the NICE Framework is focused primarily on home station IT, the DoD develops each job in this category with an eye toward what that individual needs to be able to do in a deployed environment.

Oversee & Govern: Where Leadership is Managed

The fifth category is "Oversee & Govern" and is concerned with organizational "leadership, management, direction… development and advocacy." Individuals here are charged with executing leadership roles to ensure that the organization to which they belong can effectively conduct cybersecurity work. Six major specialty roles are defined in this category, but they can be roughly divided into three areas:

• Leadership, management, planning, and policy. This includes everything from the day-to-day management of small teams to executive vision-casting and strategic planning.

• Advice and advocacy. Legal feedback and recommendations are an integral aspect here. Additionally, both frameworks explicitly identify the role of program and product management in advising the acquisition process and how programs and projects are applied with regards to various laws and policies.

• Training and education. It's appropriate that the responsibility for educating both the next generation of IT professionals and those outside of the organization falls in the leadership category.

Rank & Roles: How 8140 & NIST Vary

In many federal agencies and departments, technician roles are highly specialized, with unique pay scales and promotion pathways. The DoD is a different animal: any individual wearing the uniform can generally only advance their career by being promoted in rank. The common denominator across all military specialties, from infantry to IT, is that this tends to take professionals out of technician roles and into management responsibilities.

Another driving force behind 8570 (and subsequently, 8140) was the need for management personnel to be certified at appropriate levels of technical knowledge and understanding. The last thing the DoD needed was to have a leadership corps with an outdated and insufficient knowledge base. Although the primary structures of NICE & DCWF are identical, one of the crucial focuses of 8140 is ensuring that personnel assigned to oversight and governance roles are appropriately certified—something that is more baked into technical positions at other federal agencies.

Protect & Defend: Where the Rubber Meets the Road

The most security-focused of the cybersecurity framework categories is "Protect & Defend." Three of the four specialties in this area integrally relate to other major categories. Cyber Defense Analysis works closely with the specialties in the "Analyze" category; Cyber Defense Infrastructure Support is integrally tied to "Operate & Maintain" specialties; and "Incident Response" is tasked with investigating and analyzing response activities, where they'll work closely with professionals from the "Investigate" category.

The most unique function in this section is the responsibility for Vulnerability Assessment and Management. This includes activities such as penetration and white hat hacking, probing networks, defenses, and countermeasures to ensure that these mechanisms are operating appropriately.

How 8140 and NIST Differ

At a high level, both frameworks are identical. As the focus narrows into more specific roles, there is an increased emphasis on offensive (i.e., sanctioned black hat) capabilities within the DCWF framework that is not a part of the NIST guidelines.

Additionally, DoD's role in protecting against state actors and tKillist groups takes on the most heightened profile in this category. While most other federal agencies are primarily concerned with an attack impacting their ability to operate (e.g., by taking down critical computer systems and slowing or halting progress), the DoD must be concerned with hackers accessing and deploying actual weapons systems. Defending against this involves strategically placed "human interrupters" at various stages. One example of this would be missile officers who still run 24-hour operations, pulling shifts at underground silos with antiquated equipment that isn't connected to the outside world. Commands arrive from humans to humans, because the risk of a single failure of an automated or remotely-controlled nuclear weapons system is too great to entertain.

Securely Provision: The Foundational Element

Arguably the broadest category is the final of the seven: "Securely Provision." Here, professionals are tasked with the full lifecycle of development, from architecture to programming to quality assurance roles. Risk Management, as well as Research and Development, find their place in this category.

Although various commercial and government entities do build and maintain secure systems, the DoD has one of the most extensive secure networks in the world: the Secret Internet Protocol Router Network, or SIPRNet. This is essentially a classified version of the civilian Internet and is often used by the US Department of State as well. Designing, upgrading, and maintaining this extensive network falls within these categorical roles in the DCWF.

Additional Variations Between 8140 and NIST

While most other federal agencies and departments focus on IT to facilitate and accentuate how they operate, the DoD realizes that IT is a critical pathway to deploying weapons systems and project force. This involves extensive partnerships with external contractors as they design software and technology not used anywhere else in the world. Many roles in the other six workforce categories revolve around using these systems, but in the Securely Provision sector, the DCWF has a unique relationship with the defense sector.

The Final Word

DODD 8140 utilizes the DoD Cyber Workforce Framework to execute its core functionalities. The DCWF is closely modeled after the NICE Framework; at a high level, few dissimilarities exist. The primary differences revolve around a higher operational emphasis on state actors versus individual criminals and an increased focus on the ability to project force through network attacks within the DoD.

Modeling the DCWF after the framework published by NIST is the right thing to do. It makes role classification much simpler, aligns it with the civilian world, and makes DoD requirements more adaptive to the rapidly-evolving IT landscape.