Authorizing Official/Designated Representative

Authorizing Official/Designated Representative Work Role ID: 611 (NIST: SP-RM-001) Workforce Element: Cybersecurity

Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation (CNSSI 4009).


Qualification Matrix

  BasicIntermediateAdvancedNotes
Foundational Qualification OptionsEducation A BS degree in Information Technology, Cybersecurity, Data Science, Information Systems, or Computer Science, from an ABET accredited or CAE designated institution fulfills the educational requirement for this WRCA BS degree in Information Technology, Cybersecurity, Data Science, Information Systems, or Computer Science, from an ABET accredited or CAE designated institution fulfills the educational requirement for this WRCTBDFor additional information pertaining to ABET: www.abet.org or CAE: www.caecommunity.org
Foundational Qualification OptionsOR OR OR
Foundational Qualification OptionsDoD/Military TrainingOfficers: J-3B-0440
Enlisted: A-150-1980
Enlisted: A-150-1202
Enlisted: A-150-1203
Enlisted: A-150-1250
A-150-1980 or A-150-1202 or A-150-1203 or A-150-1250A-531-0009 or A-531-0022 or A-531-0045See TAB C (DCWF Training Repository) below for additional course information.
Foundational Qualification OptionsCommercial TrainingTBDTBDTBD
Foundational Qualification OptionsOR OR OR
Foundational Qualification OptionsPersonnel Certification CGRC/CAP or CCSP or Cloud+ or GSECFITSP-M or GCSA or GSLC or CCISO or CISM or CISSP-ISSEP or CISSP-ISSMP or CISSPSee TAB B (Certification Index) below for certification vendor information. Courses at higher proficiency levels qualify lower levels.
Foundational Qualification AlternativeExperienceConditional AlternativeConditional AlternativeConditional AlternativeRefer to Section 3 of the DoD 8140 Manual for more information.
Residential QualificationOn-the-Job QualificationAlways RequiredAlways RequiredAlways RequiredIndividuals must demonstrate capability to perform their duties in their resident environment.
Residential QualificationEnvironment-Specific RequirementsComponent DiscretionComponent DiscretionComponent Discretion
Annual Maintenance Continuous Professional Development Minimum of 20 hours annually or what is required to maintain certification; whichever is greater.Minimum of 20 hours annually or what is required to maintain certification; whichever is greater.Minimum of 20 hours annually or what is required to maintain certification; whichever is greater.

Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
38

Knowledge of organization’s enterprise information security architecture system.

Knowledge
53

Knowledge of the Security Assessment and Authorization process.

Knowledge
55

Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data.

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
69

Knowledge of Risk Management Framework (RMF) requirements.

Knowledge
77

Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.

Knowledge
88

Knowledge of new and emerging information technology (IT) and cybersecurity technologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
121

Knowledge of structured analysis principles and methods.

Knowledge
156A

Knowledge of confidentiality, integrity, and availability principles.

Knowledge
197

Skill in discerning the protection needs (i.e., security controls) of information systems and networks.

Skill
1034A

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge
1037

Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.

Knowledge
1040A

Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure.

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
5320

Establish acceptable limits for the software application, network, or system.

Task
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
19

Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.

Knowledge
27

Knowledge of cryptography and cryptographic key management concepts.

Knowledge
40

Knowledge of organization’s evaluation and validation requirements.

Knowledge
43A

Knowledge of embedded systems.

Knowledge
58

Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.

Knowledge
70

Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).

Knowledge
95A

Knowledge of penetration testing principles, tools, and techniques.

Knowledge
98

Knowledge of policy-based and risk adaptive access controls.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
128

Knowledge of systems diagnostic tools and fault identification techniques.

Knowledge
143

Knowledge of the organization’s enterprise information technology (IT) goals and objectives.

Knowledge
177B

Knowledge of countermeasures for identified security risks.

Knowledge
179

Skill in designing security controls based on cybersecurity principles and tenets.

Skill
325

Knowledge of secure acquisitions (e.g., relevant Contracting Officer’s Technical Representative [COTR] duties, secure procurement, supply chain risk management).

Knowledge
600

Evaluate cost benefit, economic, and risk analysis in decision making process.

Task
696C

Manage authorization packages.

Task
696B

Authorizing Official only: Approve authorization packages.

Task
710

Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements.

Task
801B

Knowledge of threat and risk assessment.

Knowledge
836A

Authorizing Official only: Determine if the security and privacy risk from operating a system or using a system, service, or application from an external provider is acceptable.

Task
942

Knowledge of the organization’s core business/mission processes.

Knowledge
952

Knowledge of emerging security issues, risks, and vulnerabilities.

Knowledge
965

Knowledge of organization’s risk tolerance and/or risk management approach.

Knowledge
979

Knowledge of supply chain risk management standards, processes, and practices.

Knowledge
1034B

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge
1034C

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge
1036

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge
1037A

Knowledge of information technology (IT) risk management policies, requirements, and procedures.

Knowledge
1038

Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability.

Knowledge
1131

Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).

Knowledge
1142

Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).

Knowledge
1146

Develop and Implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity requirements and accurately followed by Systems Administrators and other cybersecurity staff when performing their day-to-day activities.

Task
1157A

Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity and AI.

Knowledge
3591

Knowledge of organization objectives, leadership priorities, and decision-making risks.

Knowledge
5824

Authorizing Official only: Approve security and privacy assessment plans for systems and environments of operation.

Task
5837

Respond to threats and vulnerabilities based on the results of ongoing/continuous monitoring activities and risk assessments and decide if risk remains acceptable.

Task
5838

Review and approve security categorization results for systems.

Task
5839

Review security and privacy assessment plans for systems and environments of operation.

Task
6931

Knowledge of methods and techniques for analyzing risk.

Knowledge
6936

Knowledge of types of authorizations.

Knowledge
5827

Determine the authorization boundaries of systems.

Task