resources.infosecinstitute.com Open in urlscan Pro
162.159.135.42  Public Scan

Form analysis
2 forms found in the DOM

https://resources.infosecinstitute.com

<form class="position-relative" action="https://resources.infosecinstitute.com">
  <input type="text" placeholder="Search" name="s">
  <button type="submit" class="fas fa-search"></button>
  <div class="fas fa-times close-search" id="close-search"></div>
</form>

POST https://resources.infosecinstitute.com/wp-comments-post.php

<form action="https://resources.infosecinstitute.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
  <p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message" aria-hidden="true">Required fields are marked <span class="required" aria-hidden="true">*</span></span></p>
  <p class="comment-form-comment"><label for="comment">Comment <span class="required" aria-hidden="true">*</span></label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required"></textarea></p>
  <p class="comment-form-author"><label for="author">Name <span class="required" aria-hidden="true">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" required="required"></p>
  <p class="comment-form-email"><label for="email">Email <span class="required" aria-hidden="true">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" required="required"></p>
  <p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="text" value="" size="30" maxlength="200"></p>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="54989" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
</form>

Text Content

 * Boot camps & training
 * Awareness & anti-phishing
 * Community

 * 
 * 
 * * Topics
     
   * Certification Prep
     
   * Cyber Work
     
   * About us
     
   * 
 * * Back
   * Industry insights
   * Phishing
   * Hacking
   * Capture the flag (CTF)
   * Professional development
   * Security awareness
   * Penetration testing
   * Cyber ranges
   * General security
   * Management & compliance
   * Malware analysis
   * MITRE ATT&CK™
   * News
   * Application security
   * Digital forensics
   * View all
 * * Back
   * 
 * * Back
   * (ISC)² CISSP
   * (ISC)² CCSP
   * (ISC)² CSSLP
   * Cisco CCNA
   * CMMC
   * CompTIA A+
   * CompTIA Network+
   * CompTIA Security+
   * CompTIA CySA+
   * CompTIA CASP+
   * EC-Council CEH
   * ISACA CDPSE
   * ISACA CGEIT
   * ISACA CISA
   * ISACA CISM
   * ISACA CRISC
   * Microsoft Azure
   * PMP
   * Other
   * View all
 * * Back
   * Cyber Work Podcast
   * Cyber Work Applied
   * Cyber Work Live
 * * Back
   * Contact us
   * Contributors



 1. Topics
 2. NICE Framework
 3. What is the difference between the NICE framework and DoDD 8140/8570?

NICE Framework


WHAT IS THE DIFFERENCE BETWEEN THE NICE FRAMEWORK AND DODD 8140/8570?


December 30, 2020 by Greg Belding
Share:
AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to RedditRedditShare to
LinkedInLinkedIn

For those looking into government work, or for those just plain interested in
the different cybersecurity frameworks out there, have probably encountered two
framework names almost daily — NICE Framework and DoDD 8140/8570. These
frameworks are important, trusted cybersecurity frameworks that touch different
parts of government work, but to only know this is barely even the tip of the
iceberg.

This article will detail the NICE Framework and DoDD 8140/8570. We will explore
what they are, their origins, the intended users or stakeholders and how these
two frameworks differ. This article is intended to provide a high-level overview
of both frameworks with emphasis on how these NIST cybersecurity frameworks
differ.




WHAT IS THE NICE FRAMEWORK?

This framework isn’t mean (pardon the pun) but it is named NICE for the National
Initiative for Cybersecurity Education Cybersecurity Workforce Framework.
Published by the National Institute of Standards and Technology (NIST) and found
in NIST Special Publication 800-181, the NICE Framework provides a baseline for
federal cybersecurity roles, efforts and processes as well as a consistent,
systematic organization for all cybersecurity efforts for the federal
government. 

The NICE Framework is nationally-focused and establishes a common lexicon and
taxonomy for the description of cybersecurity work, roles and workers no matter
where or for whom the work is performed. This Framework is a living, changing
thing, which is best demonstrated by revisions — the first of which was released
on November 16, 2020.


NICE FRAMEWORK COMPONENTS

This framework consists of the following components:

 * 7 Categories of high-level common cybersecurity functions groupings
 * 33 Specialty Areas of cybersecurity work
 * 52 Work Roles: This is the most detailed of these groupings and lists the
   specific skills, knowledge and abilities that are necessary to perform the
   Work Role’s tasks

Below is the list of the seven categories of cybersecurity functions:

 1. Analyze: Highly specialize evaluation and review of incoming cybersecurity
    data to determine if it is useful for intelligence
 2. Collect and Operate: Offers specialized deception and denial operations, as
    well as collection of cybersecurity information for intelligence development
 3. Investigate: Examines cybersecurity crimes or events related to IT networks,
    systems and digital evidence
 4. Operate and Maintain: Provides administration, support and maintenance
    required to ensure efficient and effective of IT systems in terms of
    performance and security
 5. Oversee and Govern: Gives leadership, direction, management or development
    and advocacy for effectively conducting cybersecurity work
 6. Protect and Defend: Identification, analysis and mitigation of internal
    threats to both IT systems and networks
 7. Securely Provision: Procures, conceptualizes, builds or designs secure IT
    systems and is responsible for the development of aspects of systems and
    networks.


WHAT IS DODD 8140/8570?

Department of Defense Directive 8570, or DoDD 8570, was a former Department of
Defense Directive that has been rolled into a larger initiative, DoDD 8140. This
directive gives guidance and procedures for the certification, training and
management of all federal government employees responsible for conducting
information assurance functions in their job duties. These government employees
are required to hold a certification (approved by DoD) to work their specific
job, which is listed in the DoD Approved 8140 Baseline Certifications here. 

DoDD 8140 categorizes the baseline certifications as being either IAT
(Information Assurance Technical), IAM (Information Assurance Management), IASAE
(IA System Architecture and Engineering) or CSSP (Cyber Security Service
Provider). Below are the certifications that fall within each category.


IA TECHNICAL


IAT LEVEL I

 * A+
 * CND
 * Network+


IAT LEVEL II

 * CySA+
 * CND
 * Security+


IAT LEVEL III

 * CASP+
 * CCNP Security
 * CISA
 * CISSP


IA MANAGEMENT


IAM LEVEL I

 * CAP
 * CND
 * Cloud+
 * Security+


IAM LEVEL II

 * CAP
 * CASP+
 * CISM
 * CISSP
 * CCISO


IAM LEVEL III

 * CISM
 * CISSP
 * CCISO


IA SYSTEM ARCHITECTURE AND ENGINEERING


IASAE LEVEL I

 * CASP+
 * CISSP
 * CSSLP


IASAE LEVEL II

 * CASP+
 * CISSP
 * CSSLP


IASAE LEVEL III

 * CISSP-ISSAP
 * CISSP-ISSEP


CYBER SECURITY SERVICE PROVIDER


CSSP ANALYST

 * CEH
 * CFR
 * CySA+


CSSP INFRASTRUCTURE SUPPORT

 * CEH
 * CFR
 * CySA+
 * CND
 * CHFI
 * Cloud+


CSSP INCIDENT RESPONDER

 * CEH
 * CFR
 * CHFI
 * CySA+


CSSP AUDITOR

 * CEH
 * CySA+
 * CISA
 * Cloud+
 * CFR


CSSP MANAGER

 * CISM
 * CCISO


ORIGINS

Part of the confusion some have between these two frameworks is the entangled
origins the two have. Firstly, the NICE Framework provides a baseline for
federal cybersecurity but it is a non-binding baseline. In practice, the NICE
Framework is used as a starting point for federal agencies. Next, what makes
this confusing is the fact that the DoD Cyber Workforce Framework (DCWF) was
defined in both DoDD 8140 and the NICE Framework. To top off the confusion
level, some jobs bleed into other jobs, which can ultimately cause security
vulnerabilities.


NICE FRAMEWORK AND DODD 8140 USERS AND STAKEHOLDERS

The biggest difference between the NICE Framework and DoDD 8140 is their
intended audience, or users and stakeholders. The NICE Framework is intended for
a broad range of federal government employees, from the GSA to the FBI. DoDD
8140 is intended for United States military users and stakeholders. This may
seem like a slight difference, but it has a huge impact on how these frameworks
operate.

The NICE Framework and DoDD 8140’s differences are best viewed through the lens
of the seven categories of the NICE Framework because of the different intended
audiences. Let’s take a look at how these framework’s seven categories differ.

 * Analysis: NICE focuses on the acts of cybercriminals and 8140 focuses more on
   foreign intelligence agencies and foreign actors.
 * Collect & Operate: 8140 focuses on counterintelligence and NICE has a
   counter-criminal focus.
 * Investigate: NICE focuses on locking cybercriminals up and 8140 focuses on
   building developed and detailed target packages for future use.
 * Oversee & Govern: 8140 places more emphasis on certification because it is
   more “baked in” for other federal agencies.
 * Securely Provision: The biggest difference here is that 8140 has built out
   the Secret Internet Protocol Router Network, otherwise known as SIPRNet.
   While other federal agencies have secure networks, the heightened need for a
   secure network on the battlefield has given this category more emphasis for
   DoDD 8140.




CONCLUSION

Both the NICE Framework and DoDD 8140 have similar origins, but these frameworks
have different focuses because their audiences are so different. DoDD 8140’s
intended audience is the United States military/DoD, which has a focus on
counterintelligence and foreign actors as the enemies. For the NICE Framework,
the intended audience is all other federal agencies, which have cybercriminals
as their adversary.


SOURCES

 * NICE Cybersecurity Framework vs 8140: What’s the Difference?, CBTNuggets
 * NICE Cybersecurity Workforce Framework, NICCS
 * DoD Directive 8140: IT Training & Certification Requirements,
   MilitaryBenefits.info

Posted: December 30, 2020
Share:
AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to RedditRedditShare to
LinkedInLinkedIn

Uh-oh!

We've encountered a new and totally unexpected error.

Get instant boot camp pricing





Thank you!

A new tab for your requested boot camp pricing will open in 5 seconds. If it
doesn't open, click here.


Author

GREG BELDING

View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys
Information Security, creating Information Defensive Strategy, and writing –
both as a Cybersecurity Blogger as well as for fun.

In this Series
 * What is the difference between the NICE framework and DoDD 8140/8570?
 * Two ways to build a secure software team using the NICE Framework
 * Two ways to build a cybersecurity team using the NICE Framework
 * How to use the NICE Cybersecurity Workforce Framework to plan career
   progression: A practitioners’ guide
 * 52 NICE Cybersecurity Workforce Framework work roles: What you need to know
 * How to align NICE Cybersecurity Workforce Framework KSAs with roles in your
   organization
 * 7 NICE Cybersecurity Workforce Framework categories: Everything you need to
   know
 * What is the NICE cybersecurity workforce framework?
 * How to Align Training With the NIST NICE Framework

Related Bootcamps
Incident Response


JOIN THE QUEST FOR NEW SKILLS!

 * Get hands-on experience
 * Win over $1,000 in prizes
 * New challenges every month

Join Monthly Challenge


LEAVE A REPLY CANCEL REPLY

Your email address will not be published. Required fields are marked *

Comment *

Name *

Email *

Website



RELATED ARTICLES

NICE Framework

TWO WAYS TO BUILD A SECURE SOFTWARE TEAM USING THE NICE FRAMEWORK

June 23, 2021
Susan Morrow
NICE Framework

TWO WAYS TO BUILD A CYBERSECURITY TEAM USING THE NICE FRAMEWORK

May 6, 2021
Susan Morrow
NICE Framework

HOW TO USE THE NICE CYBERSECURITY WORKFORCE FRAMEWORK TO PLAN CAREER
PROGRESSION: A PRACTITIONERS’ GUIDE

October 22, 2020
Daniel Brecht
NICE Framework

52 NICE CYBERSECURITY WORKFORCE FRAMEWORK WORK ROLES: WHAT YOU NEED TO KNOW

September 14, 2020
Kurt Ellzey

 * 
 * 
 * 
 * 
 * 

Topics

Hacking Penetration testing Cyber ranges Capture the flag Malware analysis
Professional development General security News Security awareness Phishing
Management, compliance & auditing Digital forensics Threat intelligence DoD 8570
View all topics

Certifications

CISSP CCSP CGEIT CEH CCNA CISA CISM CRISC A+ Network+ Security+ CASP+ PMP CySA+
CMMC Microsoft Azure View all certifications

Careers

IT auditor Cybersecurity architect Cybercrime investigator Penetration tester
Cybersecurity consultant Cybersecurity analyst Cybersecurity engineer
Cybersecurity engineer Incident responder Information security auditor
Information security manager View all careers

Company

Contact us About Infosec Work at Infosec Newsroom Partner program

Newsletter

Get the latest news, updates and offers straight to your inbox.

 * ©2022 Infosec Institute, Inc.
    * 
    * Trademarks
    * Privacy Policy

Infosec, part of Cengage Group