Security Architect
Designs enterprise and systems security throughout the development lifecycle; translates technology and environmental conditions (e.g., law and regulation) into security designs and processes.
Qualification Matrix
Basic | Intermediate | Advanced | Notes | ||
---|---|---|---|---|---|
Foundational Qualification Options | Education | A BS degree in Information Technology, Cybersecurity, Data Science, Information Systems, or Computer Science, from an ABET accredited or CAE designated institution fulfills the educational requirement for this WRC | A BS degree in Information Technology, Cybersecurity, Data Science, Information Systems, or Computer Science, from an ABET accredited or CAE designated institution fulfills the educational requirement for this WRC | TBD | For additional information pertaining to ABET: www.abet.org or CAE: www.caecommunity.org |
Foundational Qualification Options | OR | OR | OR | ||
Foundational Qualification Options | DoD/Military Training | CYB 5640/CYB 5640V/WSS 010 or CYB 5610 | WSS 011 or WSS 012 | TBD | See TAB C (DCWF Training Repository) below for additional course information. |
Foundational Qualification Options | Commercial Training | TBD | TBD | TBD | |
Foundational Qualification Options | OR | OR | OR | ||
Foundational Qualification Options | Personnel Certification | GISF | CASP+ or CCSP or Cloud+ or CSSLP or GSEC | CISM or CISSO or FITSP-D or GCIA or GCSA or GCLD or GDSA or GICSP or CISSP-ISSAP or CISSP-ISSEP | See TAB B (Certification Index) below for certification vendor information. Courses at higher proficiency levels qualify lower levels. |
Foundational Qualification Alternative | Experience | Conditional Alternative | Conditional Alternative | Conditional Alternative | Refer to Section 3 of the DoD 8140 Manual for more information. |
Residential Qualification | On-the-Job Qualification | Always Required | Always Required | Always Required | Individuals must demonstrate capability to perform their duties in their resident environment. |
Residential Qualification | Environment-Specific Requirements | Component Discretion | Component Discretion | Component Discretion | |
Annual Maintenance | Continuous Professional Development | Minimum of 20 hours annually or what is required to maintain certification; whichever is greater. | Minimum of 20 hours annually or what is required to maintain certification; whichever is greater. | Minimum of 20 hours annually or what is required to maintain certification; whichever is greater. |
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
38 | Knowledge of organization’s enterprise information security architecture system. |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
68B | Ability to design architectures and frameworks. |
Ability |
70B | Skill in applying cybersecurity methods, such as firewalls, demilitarized zones, and encryption. |
Skill |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
143A | Knowledge of integrating the organizationâs goals and objectives into the architecture. |
Knowledge |
183 | Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. |
Skill |
197A | Skill in translating operational requirements into protection needs (i.e., security controls). |
Skill |
534 | Develop/integrate cybersecurity designs for systems and networks with multilevel security requirements or requirements for the processing of multiple classification levels of data primarily applicable to government organizations (e.g., UNCLASSIFIED, SECRET, and TOP SECRET). |
Task |
561 | Document and address organization’s information security, cybersecurity architecture, and systems security engineering requirements throughout the acquisition lifecycle. |
Task |
568 | Employ secure configuration management processes. |
Task |
579 | Ensure acquired or developed system(s) and architecture(s) are consistent with organization’s cybersecurity architecture guidelines. |
Task |
631 | Identify and prioritize critical business functions in collaboration with organizational stakeholders. |
Task |
646A | Document the protection needs (i.e., security controls) for the information system(s) and network(s) and document appropriately. |
Task |
765 | Perform security reviews, identify gaps in security architecture, and develop a security risk management plan. |
Task |
994 | Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment. |
Task |
1072A | Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Ability |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
2248 | Develop a system security context, a preliminary system security CONOPS, and define baseline system security requirements in accordance with applicable cybersecurity requirements. |
Task |
2390 | Evaluate security architectures and designs to determine the adequacy of security design and architecture proposed or provided in response to requirements contained in acquisition documents. |
Task |
3307 | Knowledge of cybersecurity-enabled software products. |
Knowledge |
6030 | Ability to apply an organization’s goals and objectives to develop and maintain architecture. |
Ability |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
8 | Knowledge of authentication, authorization, and access control methods. |
Knowledge |
21 | Knowledge of computer algorithms. |
Knowledge |
25 | Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). |
Knowledge |
27 | Knowledge of cryptography and cryptographic key management concepts. |
Knowledge |
34 | Knowledge of database systems. |
Knowledge |
40A | Knowledge of organization’s evaluation and validation criteria. |
Knowledge |
42 | Knowledge of electrical engineering as applied to computer architecture, including circuit boards, processors, chips, and associated computer hardware. |
Knowledge |
43A | Knowledge of embedded systems. |
Knowledge |
46A | Knowledge of system fault tolerance methodologies. |
Knowledge |
51 | Knowledge of how system components are installed, integrated, and optimized. |
Knowledge |
52 | Knowledge of human-computer interaction principles. |
Knowledge |
53A | Knowledge of risk assessments and authorization per Risk Management Framework processes. |
Knowledge |
53 | Knowledge of the Security Assessment and Authorization process. |
Knowledge |
62 | Knowledge of industry-standard and organizationally accepted analysis principles and methods. |
Knowledge |
65A | Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression). |
Knowledge |
69A | Knowledge of risk management processes and requirements per the Risk Management Framework (RMF). |
Knowledge |
75 | Knowledge of mathematics, including logarithms, trigonometry, linear algebra, calculus, and statistics. |
Knowledge |
78 | Knowledge of microprocessors. |
Knowledge |
79 | Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]). |
Knowledge |
81A | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. |
Knowledge |
82A | Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs. |
Knowledge |
90 | Knowledge of operating systems. |
Knowledge |
92 | Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). |
Knowledge |
94 | Knowledge of parallel and distributed computing concepts. |
Knowledge |
109A | Knowledge of configuration management techniques. |
Knowledge |
110 | Knowledge of key concepts in security management (e.g., Release Management, Patch Management). |
Knowledge |
111A | Ability to apply secure system design tools, methods and techniques. |
Ability |
113A | Knowledge of N-tiered typologies including server and client operating systems. |
Knowledge |
119 | Knowledge of software engineering. |
Knowledge |
124A | Ability to apply system design tools, methods, and techniques, including automated systems analysis and design tools. |
Ability |
130 | Knowledge of systems testing and evaluation methods. |
Knowledge |
132 | Knowledge of technology integration processes. |
Knowledge |
133 | Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers). |
Knowledge |
141A | Knowledge of the enterprise information technology (IT) architectural concepts and patterns to include baseline and target architectures. |
Knowledge |
144 | Knowledge of the systems engineering process. |
Knowledge |
155 | Skill in applying and incorporating information technologies into proposed solutions. |
Skill |
180 | Skill in designing the integration of hardware and software solutions. |
Skill |
224 | Skill in design modeling and building use cases (e.g., unified modeling language). |
Skill |
238A | Skill in writing code in a currently supported programming language (e.g., Java, C++). |
Skill |
413A | Analyze user needs and requirements to plan architecture. |
Task |
465 | Develop threat model based on customer interviews and requirements. |
Task |
483 | Define and prioritize essential system capabilities or business functions required for partial or full system restoration after a catastrophic failure event. |
Task |
484 | Define appropriate levels of system availability based on critical system functions and ensure system requirements identify appropriate disaster recovery and continuity of operations requirements to include any appropriate fail-over/alternate site requirements, backup requirements, and material supportability requirements for system recover/restoration. |
Task |
502A | Develop enterprise architecture or system components required to meet user needs. |
Task |
525A | Develop procedures and test fail-over for system operations transfer to an alternate site based on system availability requirements. |
Task |
569A | Document and update as necessary all definition and architecture activities. |
Task |
602 | Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration. |
Task |
669 | Integrate and align information security and/or cybersecurity policies to ensure system analysis meets security requirements. |
Task |
797 | Provide advice on project costs, design concepts, or design changes. |
Task |
807 | Provide input on security requirements to be included in statements of work and other appropriate procurement documents. |
Task |
809 | Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). |
Task |
864A | Translate proposed capabilities into technical requirements. |
Task |
865 | Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria. |
Task |
936 | Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers). |
Task |
993A | Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization’s enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]). |
Ability |
996A | Assess and design security management functions as related to cyberspace. |
Task |
1034C | Knowledge of Personal Health Information (PHI) data security standards. |
Knowledge |
1034B | Knowledge of Payment Card Industry (PCI) data security standards. |
Knowledge |
1034A | Knowledge of Personally Identifiable Information (PII) data security standards. |
Knowledge |
1037B | Knowledge of program protection planning to include information technology (IT) supply chain security/risk management policies, anti-tampering techniques, and requirements. |
Knowledge |
1038 | Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability. |
Knowledge |
1038B | Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability). |
Knowledge |
1073 | Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. |
Knowledge |
1125 | Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration. |
Knowledge |
1130 | Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions). |
Knowledge |
1133 | Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]). |
Knowledge |
1135 | Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing). |
Knowledge |
1136A | Knowledge of use cases related to collaboration and content synchronization across platforms (e.g., Mobile, PC, Cloud). |
Knowledge |
1140A | Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic). |
Skill |
1141A | Knowledge of an organization’s information classification program and procedures for information compromise. |
Knowledge |
1142B | Skill in applying security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). |
Skill |
1147A | Develop data management capabilities (e.g., cloud based, centralized cryptographic key management) to include support to the mobile workforce. |
Task |
2014 | Analyze candidate architectures, allocate security services, and select security mechanisms. |
Task |
2887 | Write detailed functional specifications that document the architecture development process. |
Task |
3153 | Knowledge of circuit analysis. |
Knowledge |
3246 | Knowledge of confidentiality, integrity, and availability requirements. |
Knowledge |
3642 | Knowledge of various types of computer architectures. |
Knowledge |
6150 | Ability to optimize systems to meet enterprise performance requirements. |
Ability |
6210 | Knowledge of cloud service models and possible limitations for an incident response. |
Knowledge |
6330 | Knowledge of multi-level/security cross domain solutions. |
Knowledge |
6640 | Skill in designing multi-level security/cross domain solutions. |
Skill |
6680 | Skill in the use of design methods. |
Skill |
6918 | Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments. |
Ability |
6919 | Ability to determine the best cloud deployment model for the appropriate operating environment. |
Ability |
6942 | Skill in designing or implementing cloud computing deployment models. |
Skill |
6945 | Skill in migrating workloads to, from, and among the different cloud computing service models. |
Skill |