In a previous blog post, I promised to cover three topics related to the development of the NSA CAE community:
1. Increasing number of CAE-designated institutions.
2. Mapping to roles
3. Incorporating competency statements

I covered number one last time. This post is dedicated to 2: Mapping to roles

One of the innovations introduced over the past couple of years in the CAE community is aligning a designated program of study to work Roles. This is now a requirement for new and renewed CAE-designated programs of study.

For CAE-designation purposes, Roles should be chosen from the 52 identified in the NIST NICE framework or the 54 identified in the DOD CWF. (The fact that there are two competing frameworks may befuddle, but I think it is actually not a bad thing – because they have different strengths.)

First, what is a work role?
This is an important question. Its answer seems deceptively simple:
NIST NICE says they are “a way of describing a grouping of work for which someone is responsible or accountable”.

It is important to recognize that work roles are not job titles (though they might sound like, or could in some cases even be job titles) – which is admittedly confusing and non-intuitive. Instead, they are common groupings of tasks, knowledge, and skill statements. Under this system, a single worker can have multiple roles. The image below, taken from the NICE framework describes the relationships.

As I said before, CAE-designation requires CAE institutions to identify three Roles to which their program of study intends to align. Said another way, these are roles for which the program intends to prepare its students.

If you think about this from an employer’s perspective (especially a federal or DoD employer), this should simplify recruiting and hiring: “I look at my hiring needs, you show me what roles your program prepared you to do, and voile, we have a fit”.
I like that idea. Here are my questions and concerns:

• Isn’t “fit” much more complex than work role preparation?
• How exclusive are roles? / Are there natural role clusters?
• Does it make sense to force students into Roles (at 2-year, 4-year, and graduate levels)?
• Are students going to choose programs that match their role interests and aptitudes in the first place?
• Are employers inside and outside the federal government tracking/projecting hiring/demand information for these roles?
• How accurate are those projections?
• Can the projections be shared with the CAEs?
• How difficult is it for an academic institution to change “Roles” to meet new/projected demands?
• Do some roles have more/fewer TKS statements?
• Are some roles more challenging/difficult than others to learn/perform?
• Do some roles pay more/less than others?
• Should that pay information be available to students to help students choose institutions/programs of study?
• Might each role align better to a course than to an entire program of study?
• What qualifies instructors to teach about a certain role?

I believe that these questions can be answered. But I think it will require a significant effort from employers and students as well as educators to achieve the expected or desired value of aligning programs of study to roles.

Now, for the irony. When the CAEs were first stood up in the late 1990s, designation required alignment with the information assurance training standards for national security systems. These standards were based on several roles; namely: System Administrators, Information Systems Security Officers, System Certifiers, and Risk Analysts. These training standards appear to still be in force, though they are no longer used in the CAE designation process.

In about 2014, the CAE community turned away from Roles and towards the idea of knowledge units (KUs). This approach was much more academic than applied: what a student/graduate knew took precedence over the things a graduate was prepared to do. Naturally there is some correlation between knowledge and tasks (and remember that the NICE framework wasn’t released until 2017, and DODCWF was not released until 2023 – so alignment to the breadth of roles was not even a choice). But the irony in aligning to Roles is that everything old is new again.

From participation in last-week’s symposium, it is clear that CAEs are developing in several significant ways:

1. Increasing number of CAE-designated institutions
2. Requiring each program to align to recognized cybersecurity roles
3. Incorporating competency statements

I am going to dedicate the next several blog posts to these topics. Today I am covering the increasing number of CAE-designated institutions.

Over the 27 years of its existence, the CAE community has grown from just 7 institutions to 467. This is an annual growth rate of 16.84 percent. That is quite impressive. Play that out for another 10 years and we would be looking at about 2,000 CAEs.

According to the US National Center for education statistics, there are 3,931 higher educational institutions in the USA during 2020-2021. So 2,000 would be a 50% penetration rate. Impressive. Will the demand for entry level cybersecurity professionals continue at that pace for the next decade?

The presentations also indicated that currently, 137 of the 467 CAEs are community colleges (~30%). Department of Education reports that in 2020-2021, there were 1,022 community colleges in the USA. If growth were to achieve a total 50% penetration across all IHEs, we would expect much of the CAE growth to come from community colleges.

At the symposium I made some new friends – including several from community colleges. I loved the community college instructors. Those I spoke with had transitioned to teaching from other careers – one from military service, and another from IT. They love teaching – because they know education makes a difference!

My concern with this rate of growth is that instead of developing centers of academic excellence (CAEs), we are developing centers of educational adequacy (CEAs)! Don’t get me wrong: you must pass through adequacy to reach excellence; but, in a situation (10 years from now) where half the schools in the country rely on canned curricula, free lab experiences, and standardized assessments – what should/will excellence look like?
I have given some thought into how I would stay ahead. I won’t give away all the details here and now, but here are some focal points:

1. New foundational paradigms
2. Transformative experiences
3. Cyber-infused interdisciplinary programs of study
4. Interpersonal excellence

This week I am in Charleston at the National Centers of Academic Excellence (CAE) Symposium in Charleston. I am guessing there are around 500 attendees representing the 467 (if I heard correctly) NSA designated CAEs. If you are a CAE, attendance is required.

A little background: NSA stood up the CAEs in 1998. ISU (where I teach) was one of the original 7 CAEs. The Idea was that there was no specialized accreditation for cybersecurity education. NSA awarded the CAE designation to institutions that aligned their curricula with the NSTISS/CNSS 401x training standards.

Becoming a CAE-designated institution requires having a designated program of study (among other requirements).

Institutions can be designated for cyber defense (CD), research (R), and/or cyber operations (CO).

The good:
It is cool to see such a vibrant community of educators. I think there are seven simultaneous tracks at some points. Because the CAE community is growing, there are lots of schools and faculty that are “new”. It is fun to talk with this friendly group. If you’ve been here before, it is good to see faculty friends from other institutions.

When I go to a conference, I find that I enjoy it more if I attend sessions that I know nothing about.

In that attitude, I rather enjoyed the session by Derek Hansen of Brigham Young University about creating a graphic modeling language for cyber attack scenarios. I wouldn’t call it a stroke of sheer genius, but I understood the power in making students express adversarial thinking graphically.

I have students in my Critical Infrastructure Defense class do a deep dive of the Triton attacks against the oil refinery in Saudi Arabia, and use MITRE ATT&CK to describe the techniques used.

I can see that my assignment focuses on one-step-at-a-time, and ultimately ends up in a good bit of text. So asking students to select and arrange graphics would reinforce a wholistic view and the importance of technique sequencing.

I could perceive that complicated attacks might not fit in one graphic. But that’s ok.

Derek’s presentation got me thinking about modeling (languages) in general. Our (mental) models can limit or empower us. I have spent a lot of effort over the past years consuming and contributing to workforce development models. I carefully compared 15 or so cybersecurity workforce development models for my PhD thesis (chapter 7). None of these natively used a graphical component. I wonder whether a graphical approach would be beneficial there…

The not-so-good:
It’s a bit tough to leave my students during the last four weeks of the semester. For both my graduate students and undergraduates, this is “crunch time”. While I left my in-person classes this week in capable hands of a research assistant, it seemed a bit ironic that a group focusing on academic excellence would host the event at this time of year. Now, there might never be a good time, and planning around spring breaks of 400+ institutions will inevitably leave some disappointed. But for me — it is painful.