Risk Management
Oversees, evaluates, and supports the documentation, validation, assessment, and authorization processes necessary to assure that existing and new information technology (IT) systems meet the organization’s cybersecurity and risk requirements. Ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives.
Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation (CNSSI 4009).
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
38 | Knowledge of organization’s enterprise information security architecture system. |
Knowledge |
53 | Knowledge of the Security Assessment and Authorization process. |
Knowledge |
55 | Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data. |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
69 | Knowledge of Risk Management Framework (RMF) requirements. |
Knowledge |
77 | Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities. |
Knowledge |
88 | Knowledge of new and emerging information technology (IT) and cybersecurity technologies. |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
121 | Knowledge of structured analysis principles and methods. |
Knowledge |
156A | Knowledge of confidentiality, integrity, and availability principles. |
Knowledge |
197 | Skill in discerning the protection needs (i.e., security controls) of information systems and networks. |
Skill |
1034A | Knowledge of Personally Identifiable Information (PII) data security standards. |
Knowledge |
1037 | Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures. |
Knowledge |
1040A | Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure. |
Knowledge |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
5320 | Establish acceptable limits for the software application, network, or system. |
Task |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
19 | Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities. |
Knowledge |
27 | Knowledge of cryptography and cryptographic key management concepts. |
Knowledge |
40 | Knowledge of organization’s evaluation and validation requirements. |
Knowledge |
43A | Knowledge of embedded systems. |
Knowledge |
58 | Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins. |
Knowledge |
70 | Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). |
Knowledge |
95A | Knowledge of penetration testing principles, tools, and techniques. |
Knowledge |
98 | Knowledge of policy-based and risk adaptive access controls. |
Knowledge |
105 | Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
128 | Knowledge of systems diagnostic tools and fault identification techniques. |
Knowledge |
143 | Knowledge of the organization’s enterprise information technology (IT) goals and objectives. |
Knowledge |
177B | Knowledge of countermeasures for identified security risks. |
Knowledge |
179 | Skill in designing security controls based on cybersecurity principles and tenets. |
Skill |
325 | Knowledge of secure acquisitions (e.g., relevant Contracting Officer’s Technical Representative [COTR] duties, secure procurement, supply chain risk management). |
Knowledge |
600 | Evaluate cost benefit, economic, and risk analysis in decision making process. |
Task |
696C | Manage authorization packages. |
Task |
696B | Authorizing Official only: Approve authorization packages. |
Task |
710 | Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements. |
Task |
801A | Provide enterprise cybersecurity and supply chain risk management guidance. |
Task |
836A | Authorizing Official only: Determine if the security and privacy risk from operating a system or using a system, service, or application from an external provider is acceptable. |
Task |
942 | Knowledge of the organization’s core business/mission processes. |
Knowledge |
952 | Knowledge of emerging security issues, risks, and vulnerabilities. |
Knowledge |
965 | Knowledge of organization’s risk tolerance and/or risk management approach. |
Knowledge |
979 | Knowledge of supply chain risk management standards, processes, and practices. |
Knowledge |
1034B | Knowledge of Payment Card Industry (PCI) data security standards. |
Knowledge |
1034C | Knowledge of Personal Health Information (PHI) data security standards. |
Knowledge |
1036 | Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed. |
Knowledge |
1037A | Knowledge of information technology (IT) risk management policies, requirements, and procedures. |
Knowledge |
1038 | Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability. |
Knowledge |
1131 | Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]). |
Knowledge |
1142 | Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). |
Knowledge |
1146 | Develop and Implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity requirements and accurately followed by Systems Administrators and other cybersecurity staff when performing their day-to-day activities. |
Task |
1157A | Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity and AI. |
Knowledge |
3591 | Knowledge of organization objectives, leadership priorities, and decision-making risks. |
Knowledge |
5824 | Authorizing Official only: Approve security and privacy assessment plans for systems and environments of operation. |
Task |
5837 | Respond to threats and vulnerabilities based on the results of ongoing/continuous monitoring activities and risk assessments and decide if risk remains acceptable. |
Task |
5838 | Review and approve security categorization results for systems. |
Task |
5839 | Review security and privacy assessment plans for systems and environments of operation. |
Task |
6931 | Knowledge of methods and techniques for analyzing risk. |
Knowledge |
6936 | Knowledge of types of authorizations. |
Knowledge |
5827 | Determine the authorization boundaries of systems. |
Task |
Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST 800-37).
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
19 | Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities. |
Knowledge |
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
40 | Knowledge of organization’s evaluation and validation requirements. |
Knowledge |
55 | Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data. |
Knowledge |
58 | Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins. |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
70 | Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). |
Knowledge |
77 | Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities. |
Knowledge |
105 | Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
183 | Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. |
Skill |
197 | Skill in discerning the protection needs (i.e., security controls) of information systems and networks. |
Skill |
537 | Develop methods to monitor and measure risk, compliance, and assurance efforts. |
Task |
548 | Develop specifications to ensure risk, compliance, and assurance efforts conform with security, resilience, and dependability requirements at the software application, system, and network environment level. |
Task |
566 | Draft statements of preliminary or residual security risks for system operation. |
Task |
691 | Maintain information systems assurance and accreditation materials. |
Task |
710 | Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements. |
Task |
1040A | Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure. |
Knowledge |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
3B | Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks. |
Skill |
27 | Knowledge of cryptography and cryptographic key management concepts. |
Knowledge |
38 | Knowledge of organization’s enterprise information security architecture system. |
Knowledge |
43A | Knowledge of embedded systems. |
Knowledge |
53A | Knowledge of security risk assessments and authorization per Risk Management Framework processes. |
Knowledge |
69A | Knowledge of risk management processes and requirements per the Risk Management Framework (RMF). |
Knowledge |
88 | Knowledge of new and emerging information technology (IT) and cybersecurity technologies. |
Knowledge |
88A | Knowledge of current and emerging cyber technologies. |
Knowledge |
95B | Knowledge of penetration testing principles, tools, and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems). |
Knowledge |
121 | Knowledge of structured analysis principles and methods. |
Knowledge |
128 | Knowledge of systems diagnostic tools and fault identification techniques. |
Knowledge |
143 | Knowledge of the organization’s enterprise information technology (IT) goals and objectives. |
Knowledge |
156 | Skill in applying confidentiality, integrity, and availability principles. |
Skill |
203 | Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system. |
Skill |
417 | Apply coding and testing standards, apply security testing tools including “‘fuzzing” static-analysis code scanning tools, and conduct code reviews. |
Task |
457 | Conduct Privacy Impact Assessments (PIA) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII). |
Task |
772 | Perform validation steps, comparing actual results with expected results and analyze the differences to identify impact and risks. |
Task |
775 | Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks. |
Task |
798 | Provide an accurate technical evaluation of the software application, system, or network, documenting the security posture, capabilities, and vulnerabilities against relevant cybersecurity compliances. |
Task |
827 | Recommend new or revised security, resilience, and dependability measures based on the results of reviews. |
Task |
836B | Review and approve security and privacy assessment plans. |
Task |
836 | Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network. |
Task |
878 | Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations. |
Task |
879 | Verify that the software application/network/system accreditation and assurance documentation is current. |
Task |
936 | Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers). |
Task |
942 | Knowledge of the organization’s core business/mission processes. |
Knowledge |
1034A | Knowledge of Personally Identifiable Information (PII) data security standards. |
Knowledge |
1034B | Knowledge of Payment Card Industry (PCI) data security standards. |
Knowledge |
1034C | Knowledge of Personal Health Information (PHI) data security standards. |
Knowledge |
1036 | Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed. |
Knowledge |
1037 | Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures. |
Knowledge |
1038B | Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability). |
Knowledge |
1039 | Skill in evaluating the trustworthiness of the supplier and/or product. |
Skill |
1131 | Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]). |
Knowledge |
1141A | Knowledge of an organization’s information classification program and procedures for information compromise. |
Knowledge |
1142 | Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). |
Knowledge |
1146 | Develop and Implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity requirements and accurately followed by Systems Administrators and other cybersecurity staff when performing their day-to-day activities. |
Task |