The U.S. National Institute of Standards and Technology has released a landmark new Quick-Start Guide that does something previous frameworks didn’t fully do: it puts people – your cybersecurity workforce – at the very center of enterprise risk management. Here’s what it means, and why every security leader needs to act on it now.
There is a conversation happening in boardrooms and security operations centers around the world, and it goes something like this:
“We have the tools. We have the policies. So why do we keep getting breached?”
The answer, more often than not, comes back to people. Not the attackers, the defenders. Specifically, whether an organization has the right people, in the right roles, with the right skills, aligned to the right risks at the right time.
In March 2026, the National Institute of Standards and Technology (NIST) published a document that addresses exactly that problem. NIST Special Publication 1308 – the Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick-Start Guide – is a concise but powerful integration of three disciplines that have, for too long, operated in separate silos: cybersecurity risk management, enterprise risk management, and workforce planning.
This is not just another government publication to file away. For security leaders, HR directors, CISOs, and board members, it is a practical roadmap for building a resilient, risk-aware organization in an era when threats evolve faster than most hiring cycles.
Why This Guide Matters Right Now
The cybersecurity skills gap is not new news. What is new is the formal acknowledgment, from the most authoritative standards body in the United States, that workforce readiness is itself a category of cybersecurity risk — and must be managed as such.
The guide draws on the NIST Cybersecurity Framework (CSF) 2.0, which organizes cybersecurity activities into six core functions: Govern, Identify, Protect, Detect, Respond, and Recover. What SP 1308 does is connect those functions to two additional NIST pillars: the NIST IR 8286 series for enterprise risk management integration, and the NICE Framework (SP 800-181), which provides a common language for describing cybersecurity workforce roles, tasks, knowledge, and skills.
The guide is explicit about the stakes. Potential negative impacts from cybersecurity risks include higher costs, data loss, operational disruptions, lost revenue, reputational damage, and reduced innovation. And gaps in your cybersecurity workforce are one of those risks not a separate HR problem, but a direct contributor to your organization’s exposure.
Perhaps more importantly, the guide acknowledges that cybersecurity workforce assessment is often made harder by disconnects between technical and human resources teams. This document is, in many ways, NIST’s attempt to bridge that gap permanently.
The Three Pillars: ERM, CSRM, and Workforce
Before going further, it helps to understand the three components SP 1308 brings together and why uniting them changes everything.
Enterprise Risk Management (ERM) is the organization-wide approach to understanding the full spectrum of risks as an interrelated portfolio, rather than handling each risk in isolation. When cybersecurity risk is managed only within the IT department and never reaches the risk register of the CFO or the audit committee, organizations end up with blind spots that adversaries exploit.
Cybersecurity Risk Management (CSRM) is the process of managing uncertainty on or within information and technology systems. The CSF 2.0 is the primary NIST tool for this, helping organizations understand, assess, prioritize, and communicate about their cybersecurity posture consistently across teams and leadership levels.
Cybersecurity Workforce Management covers the individuals and teams whose primary responsibilities impact an organization’s ability to protect its data, systems, and operations from traditional IT security analysts to adjacent roles that apply cybersecurity knowledge in engineering, operations, legal, and finance functions.
The guide’s central argument is simple and powerful: these three disciplines must work together. People, processes, and technology combine to achieve acceptable levels of enterprise and cybersecurity risk. Leave any one of them out of the equation, and the others are insufficient.
The Five-Step Process: A Practical Framework for Action
SP 1308 is organized around five implementation steps for creating and using a CSF Organizational Profile a structured description of an organization’s current and target cybersecurity posture. Here is what each step involves, and why it matters in practice.
Step 1: Scope the Organizational Profile
Every meaningful risk management effort begins with clarity about scope. This step calls for convening stakeholders from across the enterprise – from board level and executive leadership to cybersecurity, ERM, and workforce management teams – to define what the effort covers and who is accountable.
A key activity here is the Business Impact Analysis (BIA), which identifies high-value assets critical to the organization’s mission. A high-value asset is defined as any information or information system so critical that its loss or corruption would seriously impair the organization’s ability to operate. Scoping without this analysis risks investing protection resources in the wrong places.
Critically, the guide calls out third-party dependencies as part of scope from the very beginning. Vendor and supply chain workforce capabilities must be included a reflection of hard lessons learned from major supply chain attacks that have affected organizations globally in recent years.
Step 2: Gather the Information Needed
Once the scope is defined, the next step is assembling a comprehensive picture of the organization’s current environment across three information domains.
From an ERM perspective, this means gathering risk appetite and tolerance statements, business impact analysis registers, enterprise risk profiles, and third-party risk assessments. From a CSRM perspective, it means collecting the inventory of applicable cybersecurity laws, regulations, and standards, along with organizational policies, key risk indicators, and cybersecurity risk registers.
The workforce dimension is where this step becomes distinctive. Organizations are asked to take stock of workforce planning data organizational charts, unfilled positions, existing skillsets and certifications, and recruiting and training programs already in place. The guide specifically recommends using the NICE Framework-to-CSF 2.0 Crosswalk as a resource to map workforce capabilities to security outcomes.
This is the intelligence-gathering phase. Many organizations discover at this step that they have more risk registers than they realized and far fewer qualified people assigned to manage them.
Step 3: Create the Organizational Profile
The Organizational Profile is the heart of the CSF 2.0 approach. It comes in two flavors that must be viewed side by side: a Current Profile, which captures what the organization actually achieves today in terms of CSF cybersecurity outcomes, and a Target Profile, which articulates the desired end state given the organization’s mission objectives, risk appetite, threat intelligence, and planned technology changes.
The gap between these two profiles is not just a to-do list. It is a risk map. Every distance between where you are and where you need to be represents potential exposure and this is where workforce analysis intersects directly with risk quantification. Workforce managers, working alongside CSRM and ERM teams, examine how current staff roles and skills either enable or impede progress toward the target state.
NIST provides a downloadable, customizable spreadsheet template for building these profiles, making the process accessible to organizations of any size or sector.
Step 4: Analyze Gaps and Create an Action Plan
With current and target profiles in hand, this step involves a formal gap analysis identifying, at a high level, the risks created by the distance between where the organization is and where it needs to be.
The risk register becomes central here. The guide defines a risk register as a repository of risk information, including descriptions, impact assessments, probability ratings, mitigation strategies, risk owners, and priority rankings. For organizations that do not yet have a formal risk register, this step is the forcing function to build one.
What makes SP 1308’s approach distinctive is the workforce lens applied to risk ownership. The guide instructs organizations to not only identify who owns each risk, but to assess whether that person actually has the competencies – the tasks, knowledge, and skills – to fulfill that responsibility. A gap between who is named as the risk owner and what they are actually qualified to do is itself a risk that must be documented and addressed.
This is a level of accountability that many organizations have never formalized. It is overdue.
Step 5: Implement the Action Plan and Update the Profile
The final step is where decisions become investments. Once high-priority workforce gaps are identified and mapped to specific risks, organizations must choose their workforce response and the guide is helpfully specific about what those options look like.
Workforce responses include upskilling current employees through professional development, mentorship, internships, or apprenticeships; creating new positions or reorganizing existing ones; recruiting fully competent external staff using the NICE Framework to define the required work roles; or augmenting the team through third-party contracts when internal options are not viable.
For organizations where hiring and training are not immediately feasible, the guide acknowledges a pragmatic alternative: adjust the risk response itself. If you cannot fill the gap with people, you may need to accept, avoid, or transfer the risk but that decision must be deliberate, documented, and signed off by leadership. It cannot simply be ignored.
Continuous Iteration: The MEA Lifecycle
Perhaps the most important message in SP 1308 is that this is not a one-time exercise. The guide closes with a section on iteration, built around a three-phase continuous monitoring lifecycle: Manage, Evaluate, Adjust.
Organizations implement their chosen risk and workforce responses, then evaluate how effectively those responses have addressed the underlying risks, then adjust where needed — whether that means further upskilling, reassigning responsibilities, contracting additional capacity, or rethinking the risk treatment entirely. This cycle repeats continuously, with provisions for rapid response when the threat landscape changes significantly.
In an environment where a new threat actor tactic, a zero-day vulnerability, or a geopolitical event can shift risk priorities overnight, this adaptive model is not optional. It is the baseline expectation for any organization that takes its cybersecurity posture seriously.
10 Recommended Actions for Security and Risk Leaders
Drawing directly from NIST SP 1308 and the broader CSF 2.0 framework, here are ten concrete steps security teams and organizational leaders should take:
1. Treat workforce gaps as formal cybersecurity risks. Document them in your risk register with the same rigor applied to technical vulnerabilities. A vacant SOC analyst role or an undertrained incident response team is a measurable risk exposure quantify it.
2. Establish a cross-functional team spanning cybersecurity, ERM, and HR. SP 1308’s entire premise is that these teams must work together. If your CISO and your Chief Human Resources Officer are not in regular communication, that structural gap is itself a governance failure.
3. Conduct a Business Impact Analysis if you haven’t recently. The BIA is the foundation of scoping. Without a current, accurate inventory of your high-value assets and the business processes they support, risk prioritization is guesswork.
4. Build both a Current Profile and a Target Profile using the CSF 2.0. The gap between them is your roadmap. NIST’s free spreadsheet template makes this achievable even for smaller organizations.
5. Map your workforce to the NICE Framework. Use the NICE Framework-to-CSF 2.0 Crosswalk to identify which work roles are filled, which are vacant, and which are occupied by people whose skills do not match the role’s requirements.
6. Assess your risk owners, not just your risks. For every significant risk in your register, ask whether the designated risk owner has the competency to actually manage it. If not, that mismatch is itself a risk entry.
7. Invest in security awareness training and continuous upskilling. The guide is clear that workforce adaptation must be agile and continuous. Budget for ongoing professional development, not just one-off certifications.
8. Include vendor and third-party workforce capabilities in your risk scope. Your supply chain’s security posture is part of your security posture. Assess the workforce competencies of your critical vendors as part of your risk management process.
9. Establish formal communication lines between ERM and CSRM teams. CSF subcategory GV.RM-05 specifically calls for lines of communication across the organization for cybersecurity risks, including those from suppliers and third parties. These channels should be documented and tested regularly.
10. Adopt the Manage-Evaluate-Adjust cycle as a standing organizational process. Do not treat the CSF Organizational Profile as an annual compliance exercise. Build a cadence of regular evaluation and adjustment quarterly at minimum, with rapid-response provisions for significant threat landscape changes.
Why This Matters Beyond U.S. Borders
NIST frameworks carry global weight. The CSF is used – formally or informally – by organizations across Europe, Asia, Latin America, and increasingly across Africa and the Middle East as a baseline for cybersecurity governance. Any organization benchmarking itself against international standards, seeking cyber insurance, or operating within global supply chains will find SP 1308 directly relevant to how they think about risk and workforce alignment.
For professionals seeking to build or advance their cybersecurity careers, the NICE Framework component of this guide is particularly valuable. It provides a structured, widely recognized language for describing skills, roles, and career pathways useful both for individuals mapping their own development and for organizations trying to write job descriptions that attract the right talent.
Conclusion
NIST SP 1308 is a quiet document with significant implications. It does not introduce new technology or mandate new compliance requirements. What it does is formalize something that security professionals have known for years but struggled to institutionalize: cybersecurity is a people problem as much as a technology problem, and the people dimension must be managed with the same discipline and rigor applied to firewalls, endpoints, and threat intelligence feeds.
The five-step process – scope, gather, profile, analyze, implement – gives organizations of any size a clear, repeatable path to aligning their security investments with their actual risk posture and workforce reality. The Manage-Evaluate-Adjust lifecycle ensures that path is never considered complete.
In a threat environment that does not pause for hiring cycles or budget approvals, the organizations that will prove most resilient are those that treat their cybersecurity workforce as a strategic asset – and manage it accordingly.
Source: NIST Special Publication 1308 – Cybersecurity Framework 2.0: Cybersecurity, Enterprise Risk Management, and Workforce Management Quick-Start Guide, National Institute of Standards and Technology, U.S. Department of Commerce, March 2026.
For cybersecurity solutions, workforce development tools, and professional security training, visit Saintynet Cybersecurity. For related industry analysis and coverage, visit Cybercory.
