top of page
Business Meeting

NCSP® Capability Model

A Structured, NIST‑Aligned Model for Building Cybersecurity Capability

The NCSP® Capability Model defines how individuals, teams, and organisations develop cybersecurity capability in alignment with the NIST Cybersecurity Framework (CSF) 2.0 and supporting NIST Special Publications. It provides a clear, measurable, and scalable approach to capability development across five organisational domains and three workforce levels.

The Capability Model is owned, governed, and maintained exclusively by CySec Professionals Ltd as part of the NIST Cybersecurity Professional® (NCSP®) Framework.

Purpose of the Capability Model

 

The NCSP® Capability Model enables organisations to:

  • Align workforce development with NIST CSF 2.0

  • Build measurable capability across all cybersecurity roles

  • Strengthen organisational resilience and maturity

  • Establish a common language for cybersecurity skills

  • Support enterprise, government, and academic adoption

It bridges the gap between individual learning, team readiness, and organisational capability.

Organisational Capability Domains

 

The NCSP® Capability Model defines five domains, each aligned to NIST CSF 2.0 Functions and key NIST Special Publications.

1. Governance & Leadership

Focus: Strategy, oversight, policy, and risk governance Aligned NIST References: CSF Govern Function, SP 800‑37, SP 800‑12

Capabilities include:

  • Cybersecurity strategy and governance

  • Policy development and oversight

  • Risk‑based decision‑making

  • Executive alignment and accountability

  • Regulatory and standards compliance

2. Risk & Resilience

Focus: Risk assessment, risk management, resilience engineering Aligned NIST References: SP 800‑30, SP 800‑37, SP 800‑160, SP 800‑184

Capabilities include:

  • Threat and risk assessment

  • RMF integration

  • Resilience engineering

  • Business continuity and recovery

  • Enterprise risk alignment

3. Technical Security & Engineering

 

Focus: Controls, secure design, secure software, system trustworthiness Aligned NIST References: SP 800‑53, SP 800‑160, SP 800‑218

 

Capabilities include:

  • Security and privacy controls

  • Secure‑by‑design engineering

  • Secure software development

  • Architecture and system assurance

  • Vulnerability and configuration management

4. Operational Security & Response

Focus: Monitoring, detection, incident handling, operational resilience Aligned NIST References: SP 800‑61, SP 800‑115, SP 800‑82

Capabilities include:

  • Incident detection and response

  • Security operations and monitoring

  • Technical testing and validation

  • OT/ICS security operations

  • Operational resilience and continuity

5. Workforce & Talent Development

Focus: Skills, roles, competencies, and workforce planning Aligned NIST References: NIST NICE (800‑181), CSF Govern Function

Capabilities include:

  • Role definition and competency mapping

  • Workforce development programmes

  • Talent pipelines and career pathways

  • Skills assessment and measurement

  • Organisational learning and maturity

Workforce Capability Levels

 

The NCSP® Capability Model defines three levels of individual capability, aligned to the NCSP® Awareness, Foundation, and Practitioner layers.

Level 1 — Awareness

Focus: Understanding concepts, terminology, and principles Who: All staff, executives, managers, non‑technical roles

Capabilities include:

  • Basic cybersecurity literacy

  • Understanding of NIST CSF 2.0

  • Awareness of organisational risk

  • Familiarity with key NIST publications

Level 2 — Foundation

Focus: Applying NIST guidance in role‑specific contexts Who: Analysts, engineers, managers, specialists

Capabilities include:

  • Applying NIST SPs in operational contexts

  • Supporting risk, governance, and engineering activities

  • Contributing to organisational resilience

  • Understanding control frameworks and processes

Level 3 — Practitioner

Focus: Implementing, integrating, and operationalising NIST guidance Who: Architects, senior engineers, programme leads

Capabilities include:

  • Designing and implementing NIST‑aligned solutions

  • Leading risk, resilience, and engineering initiatives

  • Integrating NIST CSF 2.0 across the organisation

  • Driving continuous improvement and maturity

How Organisations Use the Capability Model

 

Enterprises, governments, and academic institutions use the NCSP® Capability Model to:

  • assess current capability

  • identify gaps

  • build structured development plans

  • align teams to NIST CSF 2.0

  • support regulatory and assurance requirements

  • develop long‑term talent pipelines

It provides a repeatable, standards‑aligned approach to capability development.

For more information, please get in touch.
 

bottom of page