|
1 | | -# **OSSF Project/WG Name** |
2 | | - |
3 | | -[Brief description of the initiative] |
| 1 | +# **Cybersecurity Skills Framework** |
4 | 2 |
|
| 3 | +A free, open, and customizable web-based tool developed by the Open Source Security Foundation (OpenSSF) and the Linux Foundation to help organizations assess and build cybersecurity skills across various IT roles. The framework provides skill mapping for 14 job families at different experience levels and aligns with industry standards like NIST NICE, DoD 8140, and ICT e-CF. |
5 | 4 |
|
6 | 5 | ## |
7 | 6 | **Motivation** |
8 | 7 |
|
9 | | -[Background / use cases of the problem to be solved] |
| 8 | +Today’s organizations face an urgent need to build cybersecurity capacity across their software, DevOps, operations, and GRC teams. However, most frameworks are overly complex, vendor-driven, or narrowly scoped. |
| 9 | + |
| 10 | +This initiative addresses the need for a simplified, practical, and open cybersecurity skills framework that is: |
| 11 | + |
| 12 | +- Role-based and job family-oriented |
| 13 | +- Lightweight and customizable |
| 14 | +- Mapped to real-world proficiencies and responsibilities |
| 15 | +- Open source and vendor-neutral |
| 16 | + |
| 17 | +Use cases include: |
10 | 18 |
|
| 19 | +- Building internal security career paths |
| 20 | +- Mapping workforce training needs |
| 21 | +- Conducting cybersecurity skills assessments |
| 22 | +- Bridging the gap between HR, team leads, and technical staff |
11 | 23 |
|
12 | 24 | ## |
13 | 25 | **Objective** |
14 | 26 |
|
15 | | -[What is to be achieved with this initiative] |
| 27 | +To provide an open-source, extensible cybersecurity skills framework that: |
16 | 28 |
|
17 | | -[OKRs - OPTIONAL] |
| 29 | +- Defines clear roles and responsibilities across 14 job families |
| 30 | +- Maps each role to foundational, intermediate, and advanced skill levels |
| 31 | +- Aligns with common cybersecurity standards and frameworks |
| 32 | +- Encourages adoption across enterprises, education, and governments |
18 | 33 |
|
| 34 | +**OKRs (Optional)** |
| 35 | + |
| 36 | +- Increase adoption across at least 100 organizations within the first year |
| 37 | +- Add support for 5+ additional job roles based on community feedback |
| 38 | +- Release annual updates based on contributor input and industry changes |
19 | 39 |
|
20 | 40 | ## |
21 | 41 | **Scope** |
22 | 42 |
|
23 | | -[What is in and out of scope] |
| 43 | +**In Scope:** |
24 | 44 |
|
| 45 | +- Development and maintenance of the framework web tool |
| 46 | +- Updates to job families, skills, and mappings |
| 47 | +- Alignment with widely recognized standards |
| 48 | +- Community feedback integration |
25 | 49 |
|
26 | | -## |
27 | | -**Prior Work** |
| 50 | +**Out of Scope:** |
28 | 51 |
|
| 52 | +- Offering proprietary training content or certifications |
| 53 | +- Providing enterprise consulting or support services |
29 | 54 |
|
| 55 | +## |
| 56 | +**Prior Work** |
30 | 57 |
|
31 | | -* List of prior and/or related projects |
| 58 | +* [NIST NICE Framework](https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center) |
| 59 | +* [DoD 8140 Workforce Framework](https://public.cyber.mil/cw/dod-cyber-workforce-framework/) |
| 60 | +* [ENISA Cybersecurity Skills Framework](https://www.enisa.europa.eu/publications/european-cybersecurity-skills-framework) |
| 61 | +* [ICT European e-Competence Framework](https://www.ecompetences.eu/) |
32 | 62 |
|
33 | 63 | ## |
34 | 64 | **Active Projects** |
35 | 65 |
|
36 | | -[Optional] |
| 66 | +- Cybersecurity Skills Framework (core) |
| 67 | +- Framework UI/UX improvements |
| 68 | +- Additional language support |
| 69 | +- Job role and skill taxonomy expansion |
37 | 70 |
|
38 | 71 | ## |
39 | 72 | **Inactive Projects** |
40 | 73 |
|
41 | | -[Optional] |
| 74 | +None at this time |
42 | 75 |
|
43 | 76 | # |
44 | 77 | **Get Involved** |
45 | 78 |
|
46 | | -* Official communications occur on the [ADD LINK TO YOUR WG MAILING LIST] (ex: https://lists.openssf.org/g/openssf-tac/topics). \ |
47 | | -[Manage your subscriptions to Open SSF mailing lists](https://lists.openssf.org/g/main/subgroups). |
48 | | -* [Add Slack information if availabable] |
| 79 | +* Official communications occur on the [OpenSSF TAC mailing list](https://lists.openssf.org/g/openssf-tac/topics) |
| 80 | + [Manage your subscriptions to OpenSSF mailing lists](https://lists.openssf.org/g/main/subgroups) |
| 81 | +* Join us on the `#skills-framework` channel in the [OpenSSF Slack workspace](https://slack.openssf.org/) |
49 | 82 |
|
50 | 83 | ## |
51 | | - |
52 | | - |
53 | 84 | ### |
54 | 85 | **Quick Start** |
55 | 86 |
|
56 | | -* Areas that need contributions |
57 | | -* Build information if applicable |
58 | | -* Where to file issues |
59 | | -* Etc. |
| 87 | +* Areas that need contributions: |
| 88 | + - New job role definitions |
| 89 | + - Skill description refinements |
| 90 | + - Translations and localization |
| 91 | + - UI/UX suggestions |
| 92 | +* Build instructions: See [`CONTRIBUTING.md`](./CONTRIBUTING.md) |
| 93 | +* File issues or suggestions on [GitHub Issues](https://github.com/ossf/cybersecurity-skills-framework/issues) |
60 | 94 |
|
61 | 95 | ## |
62 | 96 | **Meeting times** |
63 | 97 |
|
64 | 98 | [TODO: Update with your WG meeting details] |
65 | | -* Every other Tuesday @ 10:00am PST (Link to calendar invite) |
| 99 | + |
| 100 | +* Every other Tuesday @ 10:00am PST |
66 | 101 | * [Meeting Minutes](https://docs.google.com/document/d/1uXQI1vI5_HyOvxHMexrnTY_ruBrynbPl5yOd1UM4g3A/edit#heading=h.yworp6sxzb6g) |
67 | 102 |
|
68 | 103 | # |
69 | 104 | **Governance** |
70 | 105 |
|
71 | | -[TODO: Update this link to your specific CHARTER.md file] |
72 | 106 | The [CHARTER.md](https://github.com/ossf/project-template/blob/main/CHARTER.md) outlines the scope and governance of our group activities. |
73 | 107 |
|
74 | | - |
75 | | -[OPTIONAL] |
76 | | -* Lead name |
77 | | -* Co-Lead name |
| 108 | +* Lead: Glenn ten Cate ( [email protected]) |
| 109 | +* Co-Lead: Christopher Robinson ( [email protected]) |
78 | 110 |
|
79 | 111 | # |
80 | 112 | **Intellectual Property** |
81 | 113 |
|
82 | 114 | In accordance with the [OpenSSF Charter (PDF)](https://charter.openssf.org/), work produced by this group is licensed as follows: |
83 | 115 |
|
84 | | -[TODO: Select below the applicable license(s), delete those that don't apply, and update the LICENSE file accordingly. For specification development refer to the specific instructions on the [Community Specification Getting Started page](https://github.com/CommunitySpecification/1.0/blob/main/..Getting%20Started.md). |
85 | | - |
86 | | -Note that for source code, instead of Apache, you may choose to use the MIT License available at https://opensource.org/licenses/MIT. Otherwise, no other license than those listed here may be used without approval from the Governing Board.] |
87 | | - |
88 | | -1. Software source code |
89 | | -* Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0; |
90 | | -2. Data |
91 | | -* Any of the Community Data License Agreements, available at https://www.cdla.io; |
92 | | -3. Specifications |
93 | | -* Community Specification License, Version 1.0, available at https://github.com/CommunitySpecification/1.0 |
94 | | -4. All other Documentation |
95 | | -* Creative Commons Attribution 4.0 International License, available at https://creativecommons.org/licenses/by/4.0/ |
| 116 | +1. Software source code |
| 117 | + * Apache License, Version 2.0, available at https://www.apache.org/licenses/LICENSE-2.0 |
| 118 | +2. Data |
| 119 | + * Any of the Community Data License Agreements, available at https://www.cdla.io |
| 120 | +3. Specifications |
| 121 | + * Community Specification License, Version 1.0, available at https://github.com/CommunitySpecification/1.0 |
| 122 | +4. All other Documentation |
| 123 | + * Creative Commons Attribution 4.0 International License, available at https://creativecommons.org/licenses/by/4.0/ |
96 | 124 |
|
97 | 125 | **Antitrust Policy Notice** |
98 | 126 |
|
99 | 127 | Linux Foundation meetings involve participation by industry competitors, and it is the intention of the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. |
100 | 128 |
|
101 | | -Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation. |
| 129 | +Examples of types of actions that are prohibited at Linux Foundation meetings and in connection with Linux Foundation activities are described in the Linux Foundation Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have questions about these matters, please contact your company counsel, or if you are a member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation. |
0 commit comments