A proposed rule published today by the Defense Department, NASA, and the General Services Administration aims to help streamline the cybersecurity workforce by integrating the National Initiative for Cybersecurity Education (NICE) Framework into Federal IT and cybersecurity contract requirements.
Posted to the Federal Register, the new proposal from the three agencies would amend the Federal Acquisition Regulation (FAR) and fulfill a requirement in the May 2019 cybersecurity workforce executive order by standardizing cybersecurity workforce tasks, knowledge, skills, and work roles according to the National Institute for Standards and Technology’s NICE Framework.
The NICE framework, first released in March 2024 and fleshed out by more recent updates since then, standardizes language used to describe cybersecurity work across different industries and sectors and aims to help facilitate workforce development.
“[The NICE Framework] is a fundamental resource in the development and support of a prepared and effective cybersecurity workforce that enables consistent organizational and sector communication for cybersecurity education, training, and workforce development,” the proposal says.
“The NICE Framework is intended to be applied in the public, private, and academic sectors to grow the cybersecurity capability of the U.S. Government, increase integration of the Federal cybersecurity workforce, and strengthen the skills of Federal information technology and cybersecurity practitioners,” it says.
The rule proposal would amend the FAR by adding definitions for “cybersecurity” and the NICE Framework, while including provisions to strengthen requirements for Federal contracts on the front and back ends.
New provisions would require agency acquisition plans for IT and cybersecurity support services to outline workforce requirements aligned with the NICE Framework and ensure that these services incorporate the framework’s standards into their documentation.
Commercial products and services also would have to comply with the NICE Framework, and all agencies would be required to meet cybersecurity workforce standards aligned with the framework, including contract offers, quotes, and reporting requirements.
Comments on the proposal are due by March 3.
