UMass Lowell’s Cybersecurity Program Builds on CIS Controls

The University of Massachusetts Lowell – known as UMass Lowell – is a national research university committed to preparing students for work in the real world by providing an affordable, high-quality education. The University has developed three courses that outline best practices for designing and building a cybersecurity program based on the NIST Cybersecurity Framework and the CIS Controls.

Three Courses

UMass Lowell’s cybersecurity training translates the NIST Framework for employees at all levels of an organization, enabling them to understand, assess and address the unique cybersecurity risks and needs their organization is facing.  The self-paced courses can be taken as a sequence or individually, and are accessible through the UMass online learning platform.

1. NIST Framework Basics – Introductory


Every company should have a cybersecurity strategy and program that aligns with their business and technology strategy. This course provides participants with a basic understanding of the NIST Cybersecurity Framework. NIST Framework Basics focuses on:

  • Why the framework was developed
  • What the framework covers
  • How the framework can be implemented by organizations to establish or improve a cybersecurity strategy and system security program.

Who’s it for? Whether your role is top-level strategy or cybersecurity implementation, this course is for you.

Alignment with CIS Controls: The NIST Framework Basics course includes detailed mapping of the CIS Controls V7 with the NIST Cybersecurity Framework (V1.1) Core Functions and Framework Categories.

2. NIST Cyber Factory – Intermediate

This course builds on the NIST Framework Basics course by providing students with the knowledge, skills, and ability to design, build and manage a NIST-compliant corporate cybersecurity program. Topics covered include:

  • Basic cyber threat landscape
  • Cyberattack chains
  • Common vulnerabilities
  • Risk and control frameworks
  • Enterprise assets and identities
  • Technical and business controls
  • Testing and assurance
  • Security technologies and operations
  • Business management
  • Security policies and risk management principles

Who it’s for? If you are ready to design a cybersecurity program for your organization based on the NIST Cybersecurity Framework or CIS Controls, this course is for you.

Alignment with the CIS Controls: The NIST Cyber Factory course includes two lessons that focus on the CIS Controls (V7). The first lesson includes a detailed description of the 20 CIS Controls and Sub-Controls. The second lesson includes a blueprint for applying the CIS Controls to a corporate cybersecurity program, a method for conducting a risk assessment, developing an executive scorecard, and building a program roadmap.

3. NIST Cyber Labs – Advanced

This lab- and exercise-based course provides participants with real-world solutions they can put into practice today in a production environment. The labs are designed, built and delivered in an easily consumable, practical and relevant format, providing lessons which can be applied to a working Information Technology (IT) and/or Operational Technology (OT) environment. The goal of each lab is to improve an organization’s cybersecurity profile in a measurable way. Each lab is aligned with the NIST Cybersecurity Framework as well as common security controls and industry best practices.

Who it for? If you are ready to explore how the NIST Framework will operate in a synthetic environment, this course is for you. Participants can choose one of three specific career areas: engineering, technology or business.

Alignment with the CIS Controls: Each UMass Lowell Cyber Lab is aligned with the NIST Cybersecurity Framework as well as common security controls and industry best practices including the CIS Controls.

Education for the Future

Through various courses, UMass Lowell helps organizations establish a high-level strategy and approach for developing and implementing a cybersecurity program. The course describes the components and functional requirements of the NIST Cybersecurity Framework. Students will learn engineering, technical and management capabilities for designing, implementing, operating, maintaining and managing a NIST-compliant cybersecurity program. Combined with education on the CIS Controls best practices, students can walk away prepared to protect systems and data against cyber attacks.

About the Author

Larry Wilson, the developer of the three courses, is a cybersecurity professional with 15+ years in cybersecurity engineering, design, technology, operations, program development, and management. His primary expertise relates to helping organizations design and build a comprehensive cybersecurity program based on the NIST Cybersecurity Framework. As the former Chief Information Security Officer (CISO) in the University of Massachusetts President’s Office, Larry was responsible for developing, implementing and managing the University of Massachusetts Information Security Policy and Written Information Security Program (WISP). The University’s program is based on an “NCSF Controls Factory™” approach that Larry created to help organizations operationalize the NIST Cybersecurity Framework and industry best practices (ISO 27001, CIS Controls, etc.) across an enterprise and its supply chain. This approach has been implemented consistently across all five UMass campuses, as well as at six other universities in Massachusetts.