Information Systems Security Developer
Designs, develops, tests, and evaluates information system security throughout the systems development lifecycle.
Qualification Matrix
Basic | Intermediate | Advanced | Notes | ||
---|---|---|---|---|---|
Foundational Qualification Options | Education | A BS degree in Information Technology, Cybersecurity, Data Science, Information Systems, or Computer Science, from an ABET accredited or CAE designated institution fulfills the educational requirement for this WRC | A BS degree in Information Technology, Cybersecurity, Data Science, Information Systems, or Computer Science, from an ABET accredited or CAE designated institution fulfills the educational requirement for this WRC | TBD | For additional information pertaining to ABET: www.abet.org or CAE: www.caecommunity.org |
Foundational Qualification Options | OR | OR | OR | ||
Foundational Qualification Options | DoD/Military Training | CYB 5640/CYB 5640V/WSS 010 | WSS 011 or WSS 012 | 4C-F22/160-F23 or 4C-FA26B | See TAB C (DCWF Training Repository) below for additional course information. |
Foundational Qualification Options | Commercial Training | TBD | TBD | TBD | |
Foundational Qualification Options | OR | OR | OR | ||
Foundational Qualification Options | Personnel Certification | GISF or CND or SSCP | CSC or GCLD or CASP+ or CCSP or Cloud+ or GSEC | FITSP-D or GCSA or CISSP-ISSEP | See TAB B (Certification Index) below for certification vendor information. Courses at higher proficiency levels qualify lower levels. |
Foundational Qualification Alternative | Experience | Conditional Alternative | Conditional Alternative | Conditional Alternative | Refer to Section 3 of the DoD 8140 Manual for more information. |
Residential Qualification | On-the-Job Qualification | Always Required | Always Required | Always Required | Individuals must demonstrate capability to perform their duties in their resident environment. |
Residential Qualification | Environment-Specific Requirements | Component Discretion | Component Discretion | Component Discretion | |
Annual Maintenance | Continuous Professional Development | Minimum of 20 hours annually or what is required to maintain certification; whichever is greater. | Minimum of 20 hours annually or what is required to maintain certification; whichever is greater. | Minimum of 20 hours annually or what is required to maintain certification; whichever is greater. |
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
8A | Knowledge of access authentication methods. |
Knowledge |
21 | Knowledge of computer algorithms. |
Knowledge |
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
25 | Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). |
Knowledge |
27A | Knowledge of cryptology. |
Knowledge |
34 | Knowledge of database systems. |
Knowledge |
38 | Knowledge of organization’s enterprise information security architecture system. |
Knowledge |
43A | Knowledge of embedded systems. |
Knowledge |
46 | Knowledge of fault tolerance. |
Knowledge |
51 | Knowledge of how system components are installed, integrated, and optimized. |
Knowledge |
52 | Knowledge of human-computer interaction principles. |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
64 | Knowledge of information security systems engineering principles. |
Knowledge |
70 | Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). |
Knowledge |
72 | Knowledge of local area and wide area networking principles and concepts including bandwidth management. |
Knowledge |
79 | Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]). |
Knowledge |
81A | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. |
Knowledge |
82A | Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs. |
Knowledge |
90 | Knowledge of operating systems. |
Knowledge |
92 | Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). |
Knowledge |
94 | Knowledge of parallel and distributed computing concepts. |
Knowledge |
98 | Knowledge of policy-based and risk adaptive access controls. |
Knowledge |
101 | Knowledge of process engineering concepts. |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
109 | Knowledge of secure configuration management techniques. |
Knowledge |
110A | Knowledge of security management. |
Knowledge |
118 | Knowledge of software development models (e.g., Waterfall Model, Spiral Model). |
Knowledge |
119 | Knowledge of software engineering. |
Knowledge |
121 | Knowledge of structured analysis principles and methods. |
Knowledge |
124 | Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools. |
Knowledge |
126 | Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design. |
Knowledge |
129 | Knowledge of system life cycle management principles, including software security and usability. |
Knowledge |
130 | Knowledge of systems testing and evaluation methods. |
Knowledge |
144 | Knowledge of the systems engineering process. |
Knowledge |
177 | Skill in designing countermeasures to identified security risks. |
Skill |
179 | Skill in designing security controls based on cybersecurity principles and tenets. |
Skill |
197 | Skill in discerning the protection needs (i.e., security controls) of information systems and networks. |
Skill |
199 | Skill in evaluating the adequacy of security designs. |
Skill |
416 | Analyze design constraints, analyze trade-offs and detailed system and security design, and consider lifecycle support. |
Task |
419 | Apply security policies to applications that interface with one another, such as Business-to-Business (B2B) applications. |
Task |
425 | Assess the effectiveness of cybersecurity measures utilized by system(s). |
Task |
426 | Assess threats to and vulnerabilities of computer system(s) to develop a security risk profile. |
Task |
431 | Build, test, and modify product prototypes using working models or theoretical models. |
Task |
457 | Conduct Privacy Impact Assessments (PIA) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII). |
Task |
494 | Design and develop cybersecurity or cybersecurity-enabled products. |
Task |
496A | Design, develop, integrate, and update system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation. |
Task |
501 | Design or integrate appropriate data backup capabilities into overall system designs, and ensure appropriate technical and procedural processes exist for secure system backups and protected storage of backup data. |
Task |
503A | Design to security requirements to ensure requirements are met for all systems and/or applications. |
Task |
516 | Develop and direct system testing and validation procedures and documentation. |
Task |
530 | Develop detailed security design documentation for component and interface specifications to support system design and development. |
Task |
531 | Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment. |
Task |
630 | Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable). |
Task |
659 | Implement security designs for new or existing system(s). |
Task |
662 | Incorporate cybersecurity vulnerability solutions into system designs (e.g., Cybersecurity Vulnerability Alerts). |
Task |
737B | Perform an information security risk assessment. |
Task |
766A | Perform security reviews and identify security gaps in architecture. |
Task |
770 | Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. |
Task |
809 | Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). |
Task |
850 | Store, retrieve, and manipulate data for analysis of system capabilities and requirements. |
Task |
856 | Provide support to security/certification test and evaluation activities. |
Task |
997 | Design and develop key management functions (as related to cybersecurity). |
Task |
998 | Analyze user needs and requirements to plan and conduct system security development. |
Task |
1000 | Ensure security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary. |
Task |
1002 | Skill in conducting audits or reviews of technical systems. |
Skill |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1073 | Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. |
Knowledge |
1133 | Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]). |
Knowledge |
1142 | Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). |
Knowledge |
1152 | Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment. |
Task |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
2354 | Employ configuration management processes. |
Task |
5200 | Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies. |
Task |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
3B | Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks. |
Skill |
40 | Knowledge of organization’s evaluation and validation requirements. |
Knowledge |
42 | Knowledge of electrical engineering as applied to computer architecture, including circuit boards, processors, chips, and associated computer hardware. |
Knowledge |
65A | Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression). |
Knowledge |
75 | Knowledge of mathematics, including logarithms, trigonometry, linear algebra, calculus, and statistics. |
Knowledge |
78 | Knowledge of microprocessors. |
Knowledge |
100 | Knowledge of Privacy Impact Assessments. |
Knowledge |
133 | Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers). |
Knowledge |
173A | Skill in integrating and applying policies that meet system security objectives. |
Skill |
177A | Knowledge of countermeasure design for identified security risks. |
Knowledge |
180 | Skill in designing the integration of hardware and software solutions. |
Skill |
191 | Skill in developing and applying security system access controls. |
Skill |
224A | Skill in the use of design modeling (e.g., unified modeling language). |
Skill |
542A | Develop risk mitigation strategies and cybersecurity countermeasures to address cost, performance, and security risks and to resolve vulnerabilities and recommend security changes to system or system components as needed. |
Task |
542A | Develop mitigation strategies to address cost, schedule, performance, and security risks. |
Task |
626 | Identify components or elements, allocate security functions to those elements, and describe the relationships between the elements. |
Task |
632 | Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability. |
Task |
648 | Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure recommended products are in compliance with organization’s evaluation and validation requirements. |
Task |
710 | Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements. |
Task |
803 | Provide guidelines for implementing developed systems to customers or installation teams. |
Task |
808A | Provide input to implementation plans and standard operating procedures as they relate to information systems security. |
Task |
860A | Trace system requirements to design components and perform gap analysis. |
Task |
874 | Utilize models and simulations to analyze or predict system performance under different operating conditions. |
Task |
877A | Verify stability, interoperability, portability, and/or scalability of system architecture. |
Task |
904 | Knowledge of interpreted and compiled computer languages. |
Knowledge |
936 | Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers). |
Task |
999 | Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information). |
Task |
1034A | Knowledge of Personally Identifiable Information (PII) data security standards. |
Knowledge |
1034B | Knowledge of Payment Card Industry (PCI) data security standards. |
Knowledge |
1034C | Knowledge of Personal Health Information (PHI) data security standards. |
Knowledge |
1037 | Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures. |
Knowledge |
1038B | Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability). |
Knowledge |
1125 | Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration. |
Knowledge |
1135 | Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing). |
Knowledge |
1140A | Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic). |
Skill |
1141A | Knowledge of an organization’s information classification program and procedures for information compromise. |
Knowledge |
6918 | Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments. |
Ability |
6919 | Ability to determine the best cloud deployment model for the appropriate operating environment. |
Ability |