Cybersecurity
Personnel who secure, defend, and preserve data, networks, net-centric capabilities, and other designated systems by ensuring appropriate security controls and measures are in place, and taking internal defense actions. This includes access to system controls, monitoring, administration, and integration of cybersecurity into all aspects of engineering and acquisition of cyberspace capabilities.
Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation (CNSSI 4009).
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
38 | Knowledge of organization’s enterprise information security architecture system. |
Knowledge |
53 | Knowledge of the Security Assessment and Authorization process. |
Knowledge |
55 | Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data. |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
69 | Knowledge of Risk Management Framework (RMF) requirements. |
Knowledge |
77 | Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities. |
Knowledge |
88 | Knowledge of new and emerging information technology (IT) and cybersecurity technologies. |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
121 | Knowledge of structured analysis principles and methods. |
Knowledge |
156A | Knowledge of confidentiality, integrity, and availability principles. |
Knowledge |
197 | Skill in discerning the protection needs (i.e., security controls) of information systems and networks. |
Skill |
1034A | Knowledge of Personally Identifiable Information (PII) data security standards. |
Knowledge |
1037 | Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures. |
Knowledge |
1040A | Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure. |
Knowledge |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
5320 | Establish acceptable limits for the software application, network, or system. |
Task |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
19 | Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities. |
Knowledge |
27 | Knowledge of cryptography and cryptographic key management concepts. |
Knowledge |
40 | Knowledge of organization’s evaluation and validation requirements. |
Knowledge |
43A | Knowledge of embedded systems. |
Knowledge |
58 | Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins. |
Knowledge |
70 | Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). |
Knowledge |
95A | Knowledge of penetration testing principles, tools, and techniques. |
Knowledge |
98 | Knowledge of policy-based and risk adaptive access controls. |
Knowledge |
105 | Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
128 | Knowledge of systems diagnostic tools and fault identification techniques. |
Knowledge |
143 | Knowledge of the organization’s enterprise information technology (IT) goals and objectives. |
Knowledge |
177B | Knowledge of countermeasures for identified security risks. |
Knowledge |
179 | Skill in designing security controls based on cybersecurity principles and tenets. |
Skill |
325 | Knowledge of secure acquisitions (e.g., relevant Contracting Officer’s Technical Representative [COTR] duties, secure procurement, supply chain risk management). |
Knowledge |
600 | Evaluate cost benefit, economic, and risk analysis in decision making process. |
Task |
696C | Manage authorization packages. |
Task |
696B | Authorizing Official only: Approve authorization packages. |
Task |
710 | Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements. |
Task |
801A | Provide enterprise cybersecurity and supply chain risk management guidance. |
Task |
836A | Authorizing Official only: Determine if the security and privacy risk from operating a system or using a system, service, or application from an external provider is acceptable. |
Task |
942 | Knowledge of the organization’s core business/mission processes. |
Knowledge |
952 | Knowledge of emerging security issues, risks, and vulnerabilities. |
Knowledge |
965 | Knowledge of organization’s risk tolerance and/or risk management approach. |
Knowledge |
979 | Knowledge of supply chain risk management standards, processes, and practices. |
Knowledge |
1034B | Knowledge of Payment Card Industry (PCI) data security standards. |
Knowledge |
1034C | Knowledge of Personal Health Information (PHI) data security standards. |
Knowledge |
1036 | Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed. |
Knowledge |
1037A | Knowledge of information technology (IT) risk management policies, requirements, and procedures. |
Knowledge |
1038 | Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability. |
Knowledge |
1131 | Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]). |
Knowledge |
1142 | Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). |
Knowledge |
1146 | Develop and Implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity requirements and accurately followed by Systems Administrators and other cybersecurity staff when performing their day-to-day activities. |
Task |
1157A | Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity and AI. |
Knowledge |
3591 | Knowledge of organization objectives, leadership priorities, and decision-making risks. |
Knowledge |
5824 | Authorizing Official only: Approve security and privacy assessment plans for systems and environments of operation. |
Task |
5837 | Respond to threats and vulnerabilities based on the results of ongoing/continuous monitoring activities and risk assessments and decide if risk remains acceptable. |
Task |
5838 | Review and approve security categorization results for systems. |
Task |
5839 | Review security and privacy assessment plans for systems and environments of operation. |
Task |
6931 | Knowledge of methods and techniques for analyzing risk. |
Knowledge |
6936 | Knowledge of types of authorizations. |
Knowledge |
5827 | Determine the authorization boundaries of systems. |
Task |
Manages the Communications Security (COMSEC) resources of an organization (CNSSI No. 4009).
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
25 | Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). |
Knowledge |
37 | Knowledge of disaster recovery continuity of operations plans. |
Knowledge |
55 | Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data. |
Knowledge |
61 | Knowledge of incident response and handling methodologies. |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
395 | Advise senior management (e.g., CIO) on risk levels and security posture. |
Task |
578 | Ensure security improvement actions are evaluated, validated, and implemented as required. |
Task |
824 | Recognize a possible security violation and take appropriate action to report the incident, as required. |
Task |
852 | Supervise or manage protective or corrective measures when an cybersecurity incident or vulnerability is discovered. |
Task |
1141A | Knowledge of an organization’s information classification program and procedures for information compromise. |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
129 | Knowledge of system life cycle management principles, including software security and usability. |
Knowledge |
143 | Knowledge of the organization’s enterprise information technology (IT) goals and objectives. |
Knowledge |
183 | Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. |
Skill |
299 | Knowledge of information security program management and project management principles and techniques. |
Knowledge |
325 | Knowledge of secure acquisitions (e.g., relevant Contracting Officer’s Technical Representative [COTR] duties, secure procurement, supply chain risk management). |
Knowledge |
396 | Advise senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, and systems, and elements. |
Task |
445 | Communicate the value of information technology (IT) security throughout all levels of the organization stakeholders. |
Task |
475 | Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance. |
Task |
596 | Establish overall enterprise information security architecture (EISA) with the organization’s overall security strategy. |
Task |
600 | Evaluate cost benefit, economic, and risk analysis in decision making process. |
Task |
1004 | Knowledge of critical information technology (IT) procurement requirements. |
Knowledge |
1040A | Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure. |
Knowledge |
Responsible for device, equipment, and system-level cybersecurity configuration and day-to-day security operations of control systems, including security monitoring and maintenance along with stakeholder coordination to ensure the system and its interconnections are secure in support of mission operations.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
79 | Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]). |
Knowledge |
106 | Knowledge of remote access technology concepts. |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
708A | Mitigate/correct security deficiencies identified during security/certification testing and/or recommend risk acceptance for the appropriate senior leader or authorized representative. |
Task |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
3277 | Knowledge of general SCADA system components. |
Knowledge |
3740 | Skill in determining installed patches on various operating systems and identifying patch signatures. |
Skill |
5823 | Apply updates, patches, and security technical implementation while maintaining control system performance and availability requirements. |
Task |
5829 | Establish and maintain security configuration baseline for the control system(s), including field devices, IT components, interconnections, and interfaces. |
Task |
5830 | Implement Risk Management Framework (RMF) Assessment requirements for control systems, and document/maintain records for them. |
Task |
5831 | Maintain knowledge of the function and security of control system and IT technologies with which the control systems interface. |
Task |
5832 | Maintain network segmentation to isolate control systems from business networks and other external connections as directed. |
Task |
5836 | Perform asset management and maintain inventory of control system devices and components through physical inspection or logical scans. |
Task |
5840 | Support risk assessments by reviewing and documenting the implementation status of security requirements of control systems. |
Task |
6929 | Knowledge of control system technologies, such as Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) software, Distributed Control Systems (DCS) and Operational Technology (OT). |
Knowledge |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6927 | Knowledge of control system environment risks, threats and vulnerabilities. |
Knowledge |
6933 | Knowledge of risk management processes specific to control systems. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
6940 | Skill in applying security and managing risk in resource-constrained systems and networks. |
Skill |
6941 | Skill in architecting compensating security controls to reduce risk for control systems and control system components that do not have adequate or compliant security capabilities. |
Skill |
6946 | Skill in securing control system communication protocols (e.g., IP/TCP, SSL/TLS, MODBUS/DNP3/PROFINET SCADA, GOOSE) and media used for field device control. |
Skill |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
3A | Skill in recognizing vulnerabilities in security systems. |
Skill |
43A | Knowledge of embedded systems. |
Knowledge |
69A | Knowledge of risk management processes and requirements per the Risk Management Framework (RMF). |
Knowledge |
88A | Knowledge of current and emerging cyber technologies. |
Knowledge |
342A | Knowledge of operating system command line/prompt. |
Knowledge |
809 | Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). |
Task |
3353 | Knowledge of the Risk Management Framework Assessment Methodology. |
Knowledge |
5821 | Act as a liaison between facility operations/engineer teams and IT or network security teams to coordinate security activities. |
Task |
5822 | Apply tailored organizational security policies and procedures for control system environments to maintain security, but also to ensure system availability. |
Task |
5826 | Consult on control system security matters (e.g., risk assessment, configuration management) as needed. |
Task |
5828 | Ensure configuration and collection of control system audit logs for monitoring and forensic analysis as appropriate. |
Task |
5833 | Off-load and review control system audit logs and review for anomalies. |
Task |
5834 | Participate in control system change management in conjunction with IT personnel and control system experts (e.g., system supplier). |
Task |
5835 | Participate in control system incident and disaster response, including secure system recovery. |
Task |
6928 | Knowledge of control system performance and availability requirements. |
Knowledge |
6934 | Knowledge of RMF assessment types (e.g., Assess & Authorize (A&A), Assess Only) and authorization boundaries (e.g., Closed Restricted Network (CRN), Stand-alone Information System (SIS)). |
Knowledge |
6937 | Knowledge of what “normal” control system operations for specific mission/business functions look like. |
Knowledge |
6939 | Skill in active and passive methods to safely gather information and conduct vulnerability and network analysis scans in control system environments. |
Skill |
6943 | Skill in identifying and investigating “abnormal” control system operations based on what specific mission/business functions look like. |
Skill |
Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs.) to analyze events that occur within their environments for the purposes of mitigating threats.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
19 | Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities. |
Knowledge |
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
59A | Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications. |
Knowledge |
66 | Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies. |
Knowledge |
70 | Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). |
Knowledge |
81A | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. |
Knowledge |
87 | Knowledge of network traffic analysis methods. |
Knowledge |
92 | Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
150 | Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities. |
Knowledge |
214A | Skill in performing packet-level analysis. |
Skill |
353 | Skill in collecting data from a variety of cyber defense resources. |
Skill |
433 | Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources. |
Task |
472 | Coordinate with enterprise-wide cyber defense staff to validate network alerts. |
Task |
723 | Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment. |
Task |
745 | Perform cyber defense trend analysis and reporting. |
Task |
750 | Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack. |
Task |
767 | Perform security reviews and identify security gaps in security architecture resulting in recommendations for the inclusion into the risk mitigation strategy. |
Task |
800 | Provide daily summary reports of network events and activity relevant to cyber defense practices. |
Task |
823 | Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts. |
Task |
895 | Skill in recognizing and categorizing types of vulnerabilities and associated attacks. |
Skill |
922A | Knowledge of how to use network analysis tools to identify vulnerabilities. |
Knowledge |
956 | Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities. |
Task |
958 | Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity. |
Task |
959 | Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information. |
Task |
984 | Knowledge of cyber defense policies, procedures, and regulations. |
Knowledge |
990 | Knowledge of the common attack vectors on the network layer. |
Knowledge |
991 | Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution). |
Knowledge |
1069A | Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks). |
Knowledge |
1107 | Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR). |
Task |
1108 | Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings). |
Task |
1111 | Identify applications and operating systems of a network device based on network traffic. |
Task |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
3C | Skill in recognizing vulnerabilities in information and/or data systems. |
Skill |
8 | Knowledge of authentication, authorization, and access control methods. |
Knowledge |
21 | Knowledge of computer algorithms. |
Knowledge |
25 | Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). |
Knowledge |
27 | Knowledge of cryptography and cryptographic key management concepts. |
Knowledge |
34 | Knowledge of database systems. |
Knowledge |
43A | Knowledge of embedded systems. |
Knowledge |
49 | Knowledge of host/network access control mechanisms (e.g., access control list). |
Knowledge |
58 | Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins. |
Knowledge |
61 | Knowledge of incident response and handling methodologies. |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
75C | Skill in conducting trend analysis. |
Skill |
79 | Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]). |
Knowledge |
88A | Knowledge of current and emerging cyber technologies. |
Knowledge |
90 | Knowledge of operating systems. |
Knowledge |
95A | Knowledge of penetration testing principles, tools, and techniques. |
Knowledge |
98 | Knowledge of policy-based and risk adaptive access controls. |
Knowledge |
105 | Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
110 | Knowledge of key concepts in security management (e.g., Release Management, Patch Management). |
Knowledge |
111 | Knowledge of security system design tools, methods, and techniques. |
Knowledge |
130A | Knowledge of systems security testing and evaluation methods. |
Knowledge |
133 | Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers). |
Knowledge |
138 | Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization. |
Knowledge |
139 | Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications. |
Knowledge |
148 | Knowledge of Virtual Private Network (VPN) security. |
Knowledge |
175 | Skill in developing and deploying signatures. |
Skill |
177B | Knowledge of countermeasures for identified security risks. |
Knowledge |
179A | Skill in assessing security controls based on cybersecurity principles and tenets. |
Skill |
181A | Skill in detecting host and network based intrusions via intrusion detection technologies. |
Skill |
183 | Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. |
Skill |
199 | Skill in evaluating the adequacy of security designs. |
Skill |
212A | Knowledge of network mapping and recreating network topologies. |
Knowledge |
229 | Skill in using incident handling methodologies. |
Skill |
233 | Skill in using protocol analyzers. |
Skill |
234B | Knowledge of the use of sub-netting tools. |
Knowledge |
270 | Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities). |
Knowledge |
271 | Knowledge of common network tools (e.g., ping, traceroute, nslookup). |
Knowledge |
277 | Knowledge of defense-in-depth principles and network security architecture. |
Knowledge |
278 | Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN). |
Knowledge |
286 | Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip). |
Knowledge |
342A | Knowledge of operating system command line/prompt. |
Knowledge |
427 | Develop content for cyber defense tools. |
Task |
559B | Analyze and report system security posture trends. |
Task |
559A | Analyze and report organizational security posture trends. |
Task |
576 | Ensure cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level. |
Task |
593A | Assess adequate access controls based on principles of least privilege and need-to-know. |
Task |
716A | Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise. |
Task |
717A | Assess and monitor cybersecurity related to system implementation and testing practices. |
Task |
782 | Plan and recommend modifications or adjustments based on exercise results or system environment. |
Task |
806A | Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities. |
Task |
880A | Work with stakeholders to resolve computer security incidents and vulnerability compliance. |
Task |
904 | Knowledge of interpreted and compiled computer languages. |
Knowledge |
912 | Knowledge of collection management processes, capabilities, and limitations. |
Knowledge |
915 | Knowledge of front-end collection systems, including traffic collection, filtering, and selection. |
Knowledge |
922B | Skill in using network analysis tools, including specialized tools for non-traditional systems and networks (e.g., control systems), to identify vulnerabilities. |
Skill |
938A | Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans. |
Task |
992C | Knowledge of threat environments (e.g., first generation threat actors, threat activities). |
Knowledge |
1033 | Knowledge of basic system administration, network, and operating system hardening techniques. |
Knowledge |
1034C | Knowledge of Personal Health Information (PHI) data security standards. |
Knowledge |
1034B | Knowledge of Payment Card Industry (PCI) data security standards. |
Knowledge |
1034A | Knowledge of Personally Identifiable Information (PII) data security standards. |
Knowledge |
1036 | Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed. |
Knowledge |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1073 | Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. |
Knowledge |
1103 | Determine tactics, techniques, and procedures (TTPs) for intrusion sets. |
Task |
1104 | Examine network topologies to understand data flows through the network. |
Task |
1105 | Recommend computing environment vulnerability corrections. |
Task |
1109 | Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools. |
Task |
1110 | Isolate and remove malware. |
Task |
1111 | Identify applications and operating systems of a network device based on network traffic. |
Task |
1112 | Reconstruct a malicious attack or activity based off network traffic. |
Task |
1113 | Identify network mapping and operating system (OS) fingerprinting activities. |
Task |
1114 | Knowledge of encryption methodologies. |
Knowledge |
1118 | Skill in reading and interpreting signatures (e.g., snort). |
Skill |
1119 | Knowledge of signature implementation impact. |
Knowledge |
1120 | Ability to interpret and incorporate data from multiple tool sources. |
Ability |
1121 | Knowledge of Windows/Unix ports and services. |
Knowledge |
1142 | Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). |
Knowledge |
2062 | Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave. |
Task |
2611 | Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan. |
Task |
3007 | Ability to analyze malware. |
Ability |
3431 | Knowledge of OSI model and underlying network protocols (e.g., TCP/IP). |
Knowledge |
3461 | Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities. |
Knowledge |
6210 | Knowledge of cloud service models and possible limitations for an incident response. |
Knowledge |
Analyzes digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
24A | Knowledge of basic concepts and practices of processing digital forensic data. |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
217 | Skill in preserving evidence integrity according to standard operating procedures or national standards. |
Skill |
302 | Knowledge of investigative implications of hardware, Operating Systems, and network technologies. |
Knowledge |
350 | Skill in analyzing memory dumps to extract information. |
Skill |
381 | Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK). |
Skill |
438A | Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. |
Task |
447 | Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion. |
Task |
463 | Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis. |
Task |
541 | Provide technical summary of findings in accordance with established reporting procedures. |
Task |
613 | Examine recovered data for information of relevance to the issue at hand. |
Task |
752 | Perform file signature analysis. |
Task |
890 | Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems). |
Skill |
1082 | Perform file system forensic analysis. |
Task |
1086 | Knowledge of data carving tools and techniques (e.g., Foremost). |
Knowledge |
1087 | Skill in deep analysis of captured malicious code (e.g., malware forensics). |
Skill |
1088 | Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump). |
Skill |
1089 | Knowledge of reverse engineering concepts. |
Knowledge |
1092 | Knowledge of anti-forensics tactics, techniques, and procedures. |
Knowledge |
1096 | Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro). |
Knowledge |
1098 | Skill in analyzing anomalous code as malicious or benign. |
Skill |
1099 | Skill in analyzing volatile data. |
Skill |
1100 | Skill in identifying obfuscation techniques. |
Skill |
1101 | Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures. |
Skill |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
6810 | Knowledge of binary analysis. |
Knowledge |
6850 | Skill in analyzing malware. |
Skill |
6860 | Skill in conducting bit-level analysis. |
Skill |
6870 | Skill in processing digital evidence, to include protecting and making legally sound copies of evidence. |
Skill |
6890 | Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments. |
Ability |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
25 | Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). |
Knowledge |
29 | Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools. |
Knowledge |
61 | Knowledge of incident response and handling methodologies. |
Knowledge |
90 | Knowledge of operating systems. |
Knowledge |
105 | Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
113 | Knowledge of server and client operating systems. |
Knowledge |
114 | Knowledge of server diagnostic tools and fault identification techniques. |
Knowledge |
139 | Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications. |
Knowledge |
193 | Skill in developing, testing, and implementing network infrastructure contingency and recovery plans. |
Skill |
214A | Skill in performing packet-level analysis. |
Skill |
264 | Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage). |
Knowledge |
287 | Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]). |
Knowledge |
290 | Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody). |
Knowledge |
294 | Knowledge of hacking methodologies in Windows or Unix/Linux environment. |
Knowledge |
310 | Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence). |
Knowledge |
316 | Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data. |
Knowledge |
340 | Knowledge of types and collection of persistent data. |
Knowledge |
345 | Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies. |
Knowledge |
346 | Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files. |
Knowledge |
360 | Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics). |
Skill |
364 | Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files). |
Skill |
369 | Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data. |
Skill |
374 | Skill in setting up a forensic workstation. |
Skill |
386 | Skill in using virtual machines. |
Skill |
389 | Skill in physically disassembling PCs. |
Skill |
480 | Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats. |
Task |
482 | Decrypt seized data using technical means. |
Task |
573 | Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence. |
Task |
636 | Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration. |
Task |
749 | Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment. |
Task |
753 | Perform hash comparison against established database. |
Task |
758 | Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView). |
Task |
759 | Perform timeline analysis. |
Task |
762 | Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs). |
Task |
768 | Perform static media analysis. |
Task |
771 | Perform tier 1, 2, and 3 malware analysis. |
Task |
786 | Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures). |
Task |
817 | Provide technical assistance on digital evidence matters to appropriate personnel. |
Task |
825 | Recognize and accurately report forensic artifacts indicative of a particular operating system. |
Task |
839A | Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information. |
Task |
868A | Use data carving techniques (e.g., FTK-Foremost) to extract data for further analysis. |
Task |
870 | Capture and analyze network traffic associated with malicious activities using network monitoring tools. |
Task |
871 | Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence. |
Task |
882A | Write and publish cyber defense recommendations, reports, and white papers on incident findings to appropriate constituencies. |
Task |
888 | Knowledge of types of digital forensics data and how to recognize them. |
Knowledge |
889 | Knowledge of deployable forensics. |
Knowledge |
908 | Ability to decrypt digital data collections. |
Ability |
923 | Knowledge of security event correlation tools. |
Knowledge |
944 | Conduct cursory binary analysis. |
Task |
983 | Knowledge of legal rules of evidence and court procedure. |
Knowledge |
1031 | Serve as technical expert and liaison to law enforcement personnel and explain incident details as required. |
Task |
1033 | Knowledge of basic system administration, network, and operating system hardening techniques. |
Knowledge |
1036 | Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed. |
Knowledge |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1081 | Perform virus scanning on digital media. |
Task |
1083 | Perform static analysis to mount an “image” of a drive (without necessarily having the original drive). |
Task |
1084 | Perform static malware analysis. |
Task |
1085 | Utilize deployable forensics tool kit to support operations as necessary. |
Task |
1091 | Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]). |
Skill |
1093 | Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK). |
Knowledge |
1094 | Knowledge of debugging procedures and tools. |
Knowledge |
1095 | Knowledge of how different file types can be used for anomalous behavior. |
Knowledge |
1097 | Knowledge of virtual machine aware malware, debugger aware malware, and packing. |
Knowledge |
2179 | Coordinate with intelligence analysts to correlate threat assessment data. |
Task |
3461 | Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities. |
Knowledge |
3513 | Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems. |
Knowledge |
5690 | Process image with appropriate tools depending on analyst’s goals. |
Task |
5700 | Perform Windows registry analysis. |
Task |
5720 | Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis. |
Task |
5730 | Enter media information into tracking database (e.g. Product Tracker Tool) for digital media that has been acquired. |
Task |
5740 | Correlate incident data and perform cyber defense reporting. |
Task |
5760 | Maintain deployable cyber defense toolkit (e.g. specialized cyber defense software/hardware) to support IRT mission. |
Task |
6210 | Knowledge of cloud service models and possible limitations for an incident response. |
Knowledge |
6820 | Knowledge of network architecture concepts including topology, protocols, and components. |
Knowledge |
Investigates, analyzes, and responds to cyber incidents within the network environment or enclave.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
37 | Knowledge of disaster recovery continuity of operations plans. |
Knowledge |
50 | Knowledge of how network services and protocols interact to provide network communications. |
Knowledge |
60 | Knowledge of incident categories, incident responses, and timelines for responses. |
Knowledge |
61 | Knowledge of incident response and handling methodologies. |
Knowledge |
66 | Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies. |
Knowledge |
81A | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. |
Knowledge |
105 | Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
150 | Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities. |
Knowledge |
153 | Skill of identifying, capturing, containing, and reporting malware. |
Skill |
217 | Skill in preserving evidence integrity according to standard operating procedures or national standards. |
Skill |
470 | Coordinate and provide expert technical support to enterprise-wide cyber defense technicians to resolve cyber defense incidents. |
Task |
716A | Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise. |
Task |
741A | Coordinate incident response functions. |
Task |
745 | Perform cyber defense trend analysis and reporting. |
Task |
755 | Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems. |
Task |
823 | Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts. |
Task |
882 | Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies. |
Task |
893 | Skill in securing network communications. |
Skill |
895 | Skill in recognizing and categorizing types of vulnerabilities and associated attacks. |
Skill |
896 | Skill in protecting a network against malware. |
Skill |
897 | Skill in performing damage assessments. |
Skill |
923A | Skill in using security event correlation tools. |
Skill |
984 | Knowledge of cyber defense policies, procedures, and regulations. |
Knowledge |
991 | Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution). |
Knowledge |
1029A | Knowledge of malware analysis concepts and methodologies. |
Knowledge |
1030 | Collect intrusion artifacts (e.g., source code, malware, trojans) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise. |
Task |
1033 | Knowledge of basic system administration, network, and operating system hardening techniques. |
Knowledge |
1069 | Knowledge of general attack stages (e.g., foot printing and scanning, enumeration, gaining access, escalation or privileges, maintaining access, network exploitation, covering tracks). |
Knowledge |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
3431 | Knowledge of OSI model and underlying network protocols (e.g., TCP/IP). |
Knowledge |
5670 | Write and publish after action reviews. |
Task |
6210 | Knowledge of cloud service models and possible limitations for an incident response. |
Knowledge |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
29 | Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools. |
Knowledge |
49 | Knowledge of host/network access control mechanisms (e.g., access control list). |
Knowledge |
87 | Knowledge of network traffic analysis methods. |
Knowledge |
93 | Knowledge of packet-level analysis. |
Knowledge |
478 | Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation. |
Task |
738 | Perform analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to network security. |
Task |
743 | Perform cyber defense incident triage, to include determining scope, urgency, and potential impact; identifying the specific vulnerability; and making recommendations that enable expeditious remediation. |
Task |
762 | Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs). |
Task |
861 | Track and document cyber defense incidents from initial detection through final resolution. |
Task |
961 | Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness). |
Task |
992C | Knowledge of threat environments (e.g., first generation threat actors, threat activities). |
Knowledge |
1031 | Serve as technical expert and liaison to law enforcement personnel and explain incident details as required. |
Task |
1141A | Knowledge of an organization’s information classification program and procedures for information compromise. |
Knowledge |
2179 | Coordinate with intelligence analysts to correlate threat assessment data. |
Task |
3362A | Knowledge of key factors of the operational environment and related threats and vulnerabilities. |
Knowledge |
3561 | Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications. |
Knowledge |
6210 | Knowledge of cloud service models and possible limitations for an incident response. |
Knowledge |
Tests, implements, deploys, maintains, and administers the infrastructure hardware and software.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
49 | Knowledge of host/network access control mechanisms (e.g., access control list). |
Knowledge |
59A | Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications. |
Knowledge |
61 | Knowledge of incident response and handling methodologies. |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
81A | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. |
Knowledge |
87A | Knowledge of network traffic analysis (tools, methodologies, processes). |
Knowledge |
92B | Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol (TCP), Internet Protocol (IP), Open System Interconnection Model (OSI)). |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
148 | Knowledge of Virtual Private Network (VPN) security. |
Knowledge |
150 | Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities. |
Knowledge |
643A | Identify potential conflicts with implementation of any cyber defense tools(e.g., tool and signature testing and optimization). |
Task |
960 | Assist in identifying, prioritizing, and coordinating the protection of critical cyber defense infrastructure and key resources. |
Task |
984 | Knowledge of cyber defense policies, procedures, and regulations. |
Knowledge |
1012A | Knowledge of test procedures, principles, and methodologies (e.g., Capabilities and Maturity Model Integration (CMMI)). |
Knowledge |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
2772 | Build, install, configure, and test dedicated cyber defense hardware. |
Task |
5090 | Assist in assessing the impact of implementing and sustaining a dedicated cyber defense infrastructure. |
Task |
6700 | Skill in troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution. |
Skill |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
29 | Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools. |
Knowledge |
93 | Knowledge of packet-level analysis. |
Knowledge |
157 | Skill in applying host/network access controls (e.g., access control list). |
Skill |
227 | Skill in tuning sensors. |
Skill |
229 | Skill in using incident handling methodologies. |
Skill |
237 | Skill in using Virtual Private Network (VPN) devices and encryption. |
Skill |
393B | Coordinate with system administrators to create cyber defense tools, test bed(s), and test and evaluate applications, hardware infrastructure, rules/signatures, access controls, and configurations of platforms managed by service provider(s). |
Task |
471 | Coordinate with Cyber Defense Analysts to manage and administer the updating of rules and signatures (e.g., intrusion detection/protection systems, anti-virus, and content blacklists) for specialized cyber defense applications. |
Task |
481A | Create, edit, and manage network access control lists on specialized cyber defense systems (e.g., firewalls and intrusion prevention systems). |
Task |
654B | Implement risk assessment and authorization requirements per the Risk Management Framework (RMF) process for dedicated cyber defense systems within the enterprise, and document and maintain records for them. |
Task |
769 | Perform system administration on specialized cyber defense applications and systems (e.g., anti-virus, audit and remediation) or Virtual Private Network (VPN) devices, to include installation, configuration, maintenance, backup and restoration. |
Task |
893 | Skill in securing network communications. |
Skill |
896 | Skill in protecting a network against malware. |
Skill |
900 | Knowledge of web filtering technologies. |
Knowledge |
1074A | Knowledge of transmission records (e.g., Bluetooth, Radio Frequency Identification (RFID), Infrared Networking (IR), Wireless Fidelity (Wi-Fi). paging, cellular, satellite dishes, Voice over Internet Protocol (VoIP)), and jamming techniques that enable transmission of undesirable information, or prevent installed systems from operating correctly. |
Knowledge |
1125 | Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration. |
Knowledge |
3143 | Knowledge of basic system, network, and OS hardening techniques. |
Knowledge |
6210 | Knowledge of cloud service models and possible limitations for an incident response. |
Knowledge |
6670 | Skill in system, network, and OS hardening techniques. |
Skill |
6918 | Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments. |
Ability |
6919 | Ability to determine the best cloud deployment model for the appropriate operating environment. |
Ability |
6942 | Skill in designing or implementing cloud computing deployment models. |
Skill |
6945 | Skill in migrating workloads to, from, and among the different cloud computing service models. |
Skill |
Designs, develops, tests, and evaluates information system security throughout the systems development lifecycle.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
8A | Knowledge of access authentication methods. |
Knowledge |
21 | Knowledge of computer algorithms. |
Knowledge |
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
25 | Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). |
Knowledge |
27A | Knowledge of cryptology. |
Knowledge |
34 | Knowledge of database systems. |
Knowledge |
38 | Knowledge of organization’s enterprise information security architecture system. |
Knowledge |
43A | Knowledge of embedded systems. |
Knowledge |
46 | Knowledge of fault tolerance. |
Knowledge |
51 | Knowledge of how system components are installed, integrated, and optimized. |
Knowledge |
52 | Knowledge of human-computer interaction principles. |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
64 | Knowledge of information security systems engineering principles. |
Knowledge |
70 | Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). |
Knowledge |
72 | Knowledge of local area and wide area networking principles and concepts including bandwidth management. |
Knowledge |
79 | Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]). |
Knowledge |
81A | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. |
Knowledge |
82A | Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs. |
Knowledge |
90 | Knowledge of operating systems. |
Knowledge |
92 | Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). |
Knowledge |
94 | Knowledge of parallel and distributed computing concepts. |
Knowledge |
98 | Knowledge of policy-based and risk adaptive access controls. |
Knowledge |
101 | Knowledge of process engineering concepts. |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
109 | Knowledge of secure configuration management techniques. |
Knowledge |
110A | Knowledge of security management. |
Knowledge |
118 | Knowledge of software development models (e.g., Waterfall Model, Spiral Model). |
Knowledge |
119 | Knowledge of software engineering. |
Knowledge |
121 | Knowledge of structured analysis principles and methods. |
Knowledge |
124 | Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools. |
Knowledge |
126 | Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design. |
Knowledge |
129 | Knowledge of system life cycle management principles, including software security and usability. |
Knowledge |
130 | Knowledge of systems testing and evaluation methods. |
Knowledge |
144 | Knowledge of the systems engineering process. |
Knowledge |
177 | Skill in designing countermeasures to identified security risks. |
Skill |
179 | Skill in designing security controls based on cybersecurity principles and tenets. |
Skill |
197 | Skill in discerning the protection needs (i.e., security controls) of information systems and networks. |
Skill |
199 | Skill in evaluating the adequacy of security designs. |
Skill |
416 | Analyze design constraints, analyze trade-offs and detailed system and security design, and consider lifecycle support. |
Task |
419 | Apply security policies to applications that interface with one another, such as Business-to-Business (B2B) applications. |
Task |
425 | Assess the effectiveness of cybersecurity measures utilized by system(s). |
Task |
426 | Assess threats to and vulnerabilities of computer system(s) to develop a security risk profile. |
Task |
431 | Build, test, and modify product prototypes using working models or theoretical models. |
Task |
457 | Conduct Privacy Impact Assessments (PIA) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII). |
Task |
494 | Design and develop cybersecurity or cybersecurity-enabled products. |
Task |
496A | Design, develop, integrate, and update system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation. |
Task |
501 | Design or integrate appropriate data backup capabilities into overall system designs, and ensure appropriate technical and procedural processes exist for secure system backups and protected storage of backup data. |
Task |
503A | Design to security requirements to ensure requirements are met for all systems and/or applications. |
Task |
516 | Develop and direct system testing and validation procedures and documentation. |
Task |
530 | Develop detailed security design documentation for component and interface specifications to support system design and development. |
Task |
531 | Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment. |
Task |
630 | Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable). |
Task |
659 | Implement security designs for new or existing system(s). |
Task |
662 | Incorporate cybersecurity vulnerability solutions into system designs (e.g., Cybersecurity Vulnerability Alerts). |
Task |
737B | Perform an information security risk assessment. |
Task |
766A | Perform security reviews and identify security gaps in architecture. |
Task |
770 | Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. |
Task |
809 | Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). |
Task |
850 | Store, retrieve, and manipulate data for analysis of system capabilities and requirements. |
Task |
856 | Provide support to security/certification test and evaluation activities. |
Task |
997 | Design and develop key management functions (as related to cybersecurity). |
Task |
998 | Analyze user needs and requirements to plan and conduct system security development. |
Task |
1000 | Ensure security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary. |
Task |
1002 | Skill in conducting audits or reviews of technical systems. |
Skill |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1073 | Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. |
Knowledge |
1133 | Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]). |
Knowledge |
1142 | Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). |
Knowledge |
1152 | Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment. |
Task |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
2354 | Employ configuration management processes. |
Task |
5200 | Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies. |
Task |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
3B | Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks. |
Skill |
40 | Knowledge of organization’s evaluation and validation requirements. |
Knowledge |
42 | Knowledge of electrical engineering as applied to computer architecture, including circuit boards, processors, chips, and associated computer hardware. |
Knowledge |
65A | Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression). |
Knowledge |
75 | Knowledge of mathematics, including logarithms, trigonometry, linear algebra, calculus, and statistics. |
Knowledge |
78 | Knowledge of microprocessors. |
Knowledge |
100 | Knowledge of Privacy Impact Assessments. |
Knowledge |
133 | Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers). |
Knowledge |
173A | Skill in integrating and applying policies that meet system security objectives. |
Skill |
177A | Knowledge of countermeasure design for identified security risks. |
Knowledge |
180 | Skill in designing the integration of hardware and software solutions. |
Skill |
191 | Skill in developing and applying security system access controls. |
Skill |
224A | Skill in the use of design modeling (e.g., unified modeling language). |
Skill |
542A | Develop risk mitigation strategies and cybersecurity countermeasures to address cost, performance, and security risks and to resolve vulnerabilities and recommend security changes to system or system components as needed. |
Task |
542A | Develop mitigation strategies to address cost, schedule, performance, and security risks. |
Task |
626 | Identify components or elements, allocate security functions to those elements, and describe the relationships between the elements. |
Task |
632 | Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability. |
Task |
648 | Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure recommended products are in compliance with organization’s evaluation and validation requirements. |
Task |
710 | Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements. |
Task |
803 | Provide guidelines for implementing developed systems to customers or installation teams. |
Task |
808A | Provide input to implementation plans and standard operating procedures as they relate to information systems security. |
Task |
860A | Trace system requirements to design components and perform gap analysis. |
Task |
874 | Utilize models and simulations to analyze or predict system performance under different operating conditions. |
Task |
877A | Verify stability, interoperability, portability, and/or scalability of system architecture. |
Task |
904 | Knowledge of interpreted and compiled computer languages. |
Knowledge |
936 | Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers). |
Task |
999 | Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information). |
Task |
1034A | Knowledge of Personally Identifiable Information (PII) data security standards. |
Knowledge |
1034B | Knowledge of Payment Card Industry (PCI) data security standards. |
Knowledge |
1034C | Knowledge of Personal Health Information (PHI) data security standards. |
Knowledge |
1037 | Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures. |
Knowledge |
1038B | Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability). |
Knowledge |
1125 | Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration. |
Knowledge |
1135 | Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing). |
Knowledge |
1140A | Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic). |
Skill |
1141A | Knowledge of an organization’s information classification program and procedures for information compromise. |
Knowledge |
6918 | Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments. |
Ability |
6919 | Ability to determine the best cloud deployment model for the appropriate operating environment. |
Ability |
Responsible for the cybersecurity of a program, organization, system, or enclave.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
29 | Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools. |
Knowledge |
37 | Knowledge of disaster recovery continuity of operations plans. |
Knowledge |
49 | Knowledge of host/network access control mechanisms (e.g., access control list). |
Knowledge |
55 | Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data. |
Knowledge |
58 | Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins. |
Knowledge |
61 | Knowledge of incident response and handling methodologies. |
Knowledge |
66 | Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies. |
Knowledge |
77 | Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities. |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
112 | Knowledge of server administration and systems engineering theories, concepts, and methods. |
Knowledge |
126 | Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design. |
Knowledge |
129 | Knowledge of system life cycle management principles, including software security and usability. |
Knowledge |
143 | Knowledge of the organization’s enterprise information technology (IT) goals and objectives. |
Knowledge |
150 | Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities. |
Knowledge |
173 | Skill in creating policies that reflect system security objectives. |
Skill |
183 | Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. |
Skill |
299 | Knowledge of information security program management and project management principles and techniques. |
Knowledge |
391 | Acquire and manage the necessary resources, including leadership support, financial resources, and key security personnel, to support information technology (IT) security goals and objectives and reduce overall organizational risk. |
Task |
395 | Advise senior management (e.g., CIO) on risk levels and security posture. |
Task |
397 | Advise appropriate senior leadership or Authorizing Official of changes affecting the organization’s cybersecurity posture. |
Task |
440 | Collect and maintain data needed to meet system cybersecurity reporting. |
Task |
445 | Communicate the value of information technology (IT) security throughout all levels of the organization stakeholders. |
Task |
578 | Ensure security improvement actions are evaluated, validated, and implemented as required. |
Task |
584 | Ensure that cybersecurity inspections, tests, and reviews are coordinated for the network environment. |
Task |
585 | Ensure that cybersecurity requirements are integrated into the continuity planning for that system and/or organization(s). |
Task |
628 | Identify alternative information security strategies to address organizational security objective. |
Task |
640 | Identify information technology (IT) security program implications of new technologies or technology upgrades. |
Task |
677 | Interpret patterns of non compliance to determine their impact on levels of risk and/or overall effectiveness of the enterprise’s cybersecurity program. |
Task |
705 | Manage the monitoring of information security data sources to maintain organizational situational awareness. |
Task |
730 | Oversee the information security training and awareness program. |
Task |
733 | Participate in the development or modification of the computer environment cybersecurity program plans and requirements. |
Task |
790 | Prepare, distribute, and maintain plans, instructions, guidance, and standard operating procedures concerning the security of network system(s) operations. |
Task |
816 | Provide system related input on cybersecurity requirements to be included in statements of work and other appropriate procurement documents. |
Task |
824 | Recognize a possible security violation and take appropriate action to report the incident, as required. |
Task |
828 | Recommend resource allocations required to securely operate and maintain an organization’s cybersecurity requirements. |
Task |
852 | Supervise or manage protective or corrective measures when an cybersecurity incident or vulnerability is discovered. |
Task |
862 | Track audit findings and recommendations to ensure appropriate mitigation actions are taken. |
Task |
919 | Promote awareness of security issues among management and ensure sound security principles are reflected in the organization’s vision and goals. |
Task |
947 | Oversee policy standards and implementation strategies to ensure procedures and guidelines comply with cybersecurity policies. |
Task |
962 | Identify security requirements specific to an information technology (IT) system in all phases of the System Life Cycle. |
Task |
963 | Ensure plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc. |
Task |
964 | Assure successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization’s mission and goals. |
Task |
965 | Knowledge of organization’s risk tolerance and/or risk management approach. |
Knowledge |
966 | Knowledge of enterprise incident response program, roles, and responsibilities. |
Knowledge |
967 | Knowledge of current and emerging threats/threat vectors. |
Knowledge |
1016 | Support necessary compliance activities (e.g., ensure system security configuration guidelines are followed, compliance monitoring occurs). |
Task |
1032 | Continuously validate the organization against policies/guidelines/procedures/regulations/laws to ensure compliance. |
Task |
1034A | Knowledge of Personally Identifiable Information (PII) data security standards. |
Knowledge |
1036 | Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed. |
Knowledge |
1037 | Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures. |
Knowledge |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1141A | Knowledge of an organization’s information classification program and procedures for information compromise. |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
9 | Knowledge of applicable business processes and operations of customer organizations. |
Knowledge |
25 | Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). |
Knowledge |
62 | Knowledge of industry-standard and organizationally accepted analysis principles and methods. |
Knowledge |
69A | Knowledge of risk management processes and requirements per the Risk Management Framework (RMF). |
Knowledge |
76 | Knowledge of measures or indicators of system performance and availability. |
Knowledge |
81A | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. |
Knowledge |
87 | Knowledge of network traffic analysis methods. |
Knowledge |
88A | Knowledge of current and emerging cyber technologies. |
Knowledge |
92 | Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). |
Knowledge |
95A | Knowledge of penetration testing principles, tools, and techniques. |
Knowledge |
105 | Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
107 | Knowledge of resource management principles and techniques. |
Knowledge |
113 | Knowledge of server and client operating systems. |
Knowledge |
132 | Knowledge of technology integration processes. |
Knowledge |
325 | Knowledge of secure acquisitions (e.g., relevant Contracting Officer’s Technical Representative [COTR] duties, secure procurement, supply chain risk management). |
Knowledge |
392 | Acquire necessary resources, including financial resources, to conduct an effective enterprise continuity of operations program. |
Task |
396 | Advise senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, and systems, and elements. |
Task |
475 | Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance. |
Task |
572 | Ensure application of security patches for commercial products integrated into system design meet the timelines dictated by the management authority for the intended operational environment. |
Task |
590 | Ensure that protection and detection capabilities are acquired or developed using the IS security engineering approach and are consistent with organization-level cybersecurity architecture. |
Task |
596 | Establish overall enterprise information security architecture (EISA) with the organization’s overall security strategy. |
Task |
598A | Evaluate and approve development efforts to ensure that baseline security safeguards controls/measures are appropriately installed. |
Task |
600 | Evaluate cost benefit, economic, and risk analysis in decision making process. |
Task |
674 | Interface with external organizations (e.g., public affairs, law enforcement, Command or Component Inspector General) to ensure appropriate and accurate dissemination of incident and other Computer Network Defense information. |
Task |
676 | Interpret and/or approve security requirements relative to the capabilities of new information technologies. |
Task |
679 | Lead and align information technology (IT) security priorities with the security strategy. |
Task |
680 | Lead and oversee information security budget, staffing, and contracting. |
Task |
706 | Manage the publishing of Computer Network Defense guidance (e.g., TCNOs, Concept of Operations, Net Analyst Reports, NTSM, MTOs) for the enterprise constituency. |
Task |
707 | Manage threat or target analysis of cyber defense information and production of threat information within the enterprise. |
Task |
711 | Monitor and evaluate the effectiveness of the enterprise’s cybersecurity safeguards to ensure they provide the intended level of protection. |
Task |
731A | Participate in risk assessment and authorization per Risk Management Framework processes. |
Task |
801 | Provide enterprise cybersecurity and supply chain risk management guidance for development of the Continuity of Operations Plans. |
Task |
810 | Provide leadership and direction to information technology (IT) personnel by ensuring that cybersecurity awareness, basics, literacy, and training are provided to operations personnel commensurate with their responsibilities. |
Task |
818 | Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters. |
Task |
848 | Recommend policy and coordinate review and approval. |
Task |
869 | Use federal and organization-specific published documents to manage operations of their computing environment system(s). |
Task |
948 | Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk. |
Task |
949 | Evaluate the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements. |
Task |
1004 | Knowledge of critical information technology (IT) procurement requirements. |
Knowledge |
1017 | Participate in the acquisition process as necessary, following appropriate supply chain risk management practices. |
Task |
1018 | Ensure all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals. |
Task |
1033 | Knowledge of basic system administration, network, and operating system hardening techniques. |
Knowledge |
1034C | Knowledge of Personal Health Information (PHI) data security standards. |
Knowledge |
1034B | Knowledge of Payment Card Industry (PCI) data security standards. |
Knowledge |
1035 | Forecast ongoing service demands and ensure security assumptions are reviewed as necessary. |
Task |
1038B | Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability). |
Knowledge |
1039 | Skill in evaluating the trustworthiness of the supplier and/or product. |
Skill |
1040A | Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure. |
Knowledge |
1041 | Define and/or implement policies and procedures to ensure protection of critical infrastructure as appropriate. |
Task |
1073 | Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. |
Knowledge |
1131 | Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]). |
Knowledge |
6918 | Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments. |
Ability |
Analyzes the security of new or existing computer applications, software, or specialized utility programs and provides actionable results.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
40 | Knowledge of organization’s evaluation and validation requirements. |
Knowledge |
56 | Knowledge of cybersecurity principles and methods that apply to software development. |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
90 | Knowledge of operating systems. |
Knowledge |
105 | Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
109 | Knowledge of secure configuration management techniques. |
Knowledge |
177 | Skill in designing countermeasures to identified security risks. |
Skill |
197 | Skill in discerning the protection needs (i.e., security controls) of information systems and networks. |
Skill |
417 | Apply coding and testing standards, apply security testing tools including “‘fuzzing” static-analysis code scanning tools, and conduct code reviews. |
Task |
432 | Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules. |
Task |
467 | Consult with engineering staff to evaluate interface between hardware and software. |
Task |
515B | Develop secure software testing and validation procedures. |
Task |
634 | Identify basic common coding flaws at a high level. |
Task |
645 | Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life. |
Task |
764A | Perform secure program testing, review, and/or assessment to identify potential flaws in codes and mitigate vulnerabilities. |
Task |
770 | Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. |
Task |
826 | Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing. |
Task |
865 | Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria. |
Task |
972A | Determine and document software patches or the extent of releases that would leave software vulnerable. |
Task |
973A | Skill in using code analysis tools. |
Skill |
976 | Knowledge of software quality assurance process. |
Knowledge |
1020A | Skill in secure test plan design (e. g. unit, integration, system, acceptance). |
Skill |
1034A | Knowledge of Personally Identifiable Information (PII) data security standards. |
Knowledge |
1037A | Knowledge of information technology (IT) risk management policies, requirements, and procedures. |
Knowledge |
1071 | Knowledge of secure software deployment methodologies, tools, and practices. |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
3B | Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks. |
Skill |
20 | Knowledge of complex data structures. |
Knowledge |
23 | Knowledge of computer programming principles such as object-oriented design. |
Knowledge |
38 | Knowledge of organization’s enterprise information security architecture system. |
Knowledge |
43A | Knowledge of embedded systems. |
Knowledge |
72 | Knowledge of local area and wide area networking principles and concepts including bandwidth management. |
Knowledge |
74 | Knowledge of low-level computer languages (e.g., assembly languages). |
Knowledge |
81A | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. |
Knowledge |
95A | Knowledge of penetration testing principles, tools, and techniques. |
Knowledge |
100 | Knowledge of Privacy Impact Assessments. |
Knowledge |
102 | Knowledge of programming language structures and logic. |
Knowledge |
116 | Knowledge of software debugging principles. |
Knowledge |
117 | Knowledge of software design tools, methods, and techniques. |
Knowledge |
118 | Knowledge of software development models (e.g., Waterfall Model, Spiral Model). |
Knowledge |
119 | Knowledge of software engineering. |
Knowledge |
121 | Knowledge of structured analysis principles and methods. |
Knowledge |
124 | Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools. |
Knowledge |
149 | Knowledge of web services, including service-oriented architecture, Simple Object Access Protocol, and web service description language. |
Knowledge |
168 | Skill in conducting software debugging. |
Skill |
191 | Skill in developing and applying security system access controls. |
Skill |
408A | Analyze and provide information to stakeholders that will support the development of security a application or modification of an existing security application. |
Task |
414A | Analyze security needs and software requirements to determine feasibility of design within time and cost constraints and security mandates. |
Task |
418 | Apply secure code documentation. |
Task |
459A | Conduct trial runs of programs and software applications to ensure the desired information is produced and instructions and security levels are correct. |
Task |
465 | Develop threat model based on customer interviews and requirements. |
Task |
515C | Develop system testing and validation procedures, programming, and documentation. |
Task |
602 | Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration. |
Task |
644 | Identify security implications and apply methodologies within centralized and decentralized environments across the enterprises computer systems in software development. |
Task |
710 | Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements. |
Task |
756 | Perform integrated quality assurance testing for security functionality and resiliency attack. |
Task |
850 | Store, retrieve, and manipulate data for analysis of system capabilities and requirements. |
Task |
904 | Knowledge of interpreted and compiled computer languages. |
Knowledge |
905 | Knowledge of secure coding techniques. |
Knowledge |
936 | Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers). |
Task |
968 | Knowledge of software related information technology (IT) security principles and methods (e.g., modularization, layering, abstraction, data hiding, simplicity/minimization). |
Knowledge |
969 | Perform penetration testing as required for new or updated applications. |
Task |
975 | Skill in integrating black box security testing tools into quality assurance process of software releases. |
Skill |
978A | Knowledge of root cause analysis techniques. |
Knowledge |
979 | Knowledge of supply chain risk management standards, processes, and practices. |
Knowledge |
980A | Skill in performing root cause analysis. |
Skill |
1034B | Knowledge of Payment Card Industry (PCI) data security standards. |
Knowledge |
1034C | Knowledge of Personal Health Information (PHI) data security standards. |
Knowledge |
1038B | Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability). |
Knowledge |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1131 | Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]). |
Knowledge |
1135 | Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing). |
Knowledge |
1140A | Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic). |
Skill |
2156 | Consult with customers about software system design and maintenance. |
Task |
2335 | Direct software programming and development of documentation. |
Task |
2839 | Supervise and assign work to programmers, designers, technologists and technicians and other engineering and scientific personnel. |
Task |
3080 | Ability to use and understand complex mathematical concepts (e.g., discrete math). |
Ability |
6932 | Knowledge of mobile device (Android/iOS) development structures, principles, platforms, containers, languages, and the specific vulnerabilities associated with mobile device development. |
Knowledge |
6944 | Skill in implementing defensive programming techniques. |
Skill |
Designs enterprise and systems security throughout the development lifecycle; translates technology and environmental conditions (e.g., law and regulation) into security designs and processes.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
38 | Knowledge of organization’s enterprise information security architecture system. |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
68B | Ability to design architectures and frameworks. |
Ability |
70B | Skill in applying cybersecurity methods, such as firewalls, demilitarized zones, and encryption. |
Skill |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
143A | Knowledge of integrating the organization’s goals and objectives into the architecture. |
Knowledge |
183 | Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. |
Skill |
197A | Skill in translating operational requirements into protection needs (i.e., security controls). |
Skill |
534 | Develop/integrate cybersecurity designs for systems and networks with multilevel security requirements or requirements for the processing of multiple classification levels of data primarily applicable to government organizations (e.g., UNCLASSIFIED, SECRET, and TOP SECRET). |
Task |
561 | Document and address organization’s information security, cybersecurity architecture, and systems security engineering requirements throughout the acquisition lifecycle. |
Task |
568 | Employ secure configuration management processes. |
Task |
579 | Ensure acquired or developed system(s) and architecture(s) are consistent with organization’s cybersecurity architecture guidelines. |
Task |
631 | Identify and prioritize critical business functions in collaboration with organizational stakeholders. |
Task |
646A | Document the protection needs (i.e., security controls) for the information system(s) and network(s) and document appropriately. |
Task |
765 | Perform security reviews, identify gaps in security architecture, and develop a security risk management plan. |
Task |
994 | Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment. |
Task |
1072A | Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Ability |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
2248 | Develop a system security context, a preliminary system security CONOPS, and define baseline system security requirements in accordance with applicable cybersecurity requirements. |
Task |
2390 | Evaluate security architectures and designs to determine the adequacy of security design and architecture proposed or provided in response to requirements contained in acquisition documents. |
Task |
3307 | Knowledge of cybersecurity-enabled software products. |
Knowledge |
6030 | Ability to apply an organization’s goals and objectives to develop and maintain architecture. |
Ability |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
8 | Knowledge of authentication, authorization, and access control methods. |
Knowledge |
21 | Knowledge of computer algorithms. |
Knowledge |
25 | Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). |
Knowledge |
27 | Knowledge of cryptography and cryptographic key management concepts. |
Knowledge |
34 | Knowledge of database systems. |
Knowledge |
40A | Knowledge of organization’s evaluation and validation criteria. |
Knowledge |
42 | Knowledge of electrical engineering as applied to computer architecture, including circuit boards, processors, chips, and associated computer hardware. |
Knowledge |
43A | Knowledge of embedded systems. |
Knowledge |
46A | Knowledge of system fault tolerance methodologies. |
Knowledge |
51 | Knowledge of how system components are installed, integrated, and optimized. |
Knowledge |
52 | Knowledge of human-computer interaction principles. |
Knowledge |
53A | Knowledge of security risk assessments and authorization per Risk Management Framework processes. |
Knowledge |
53 | Knowledge of the Security Assessment and Authorization process. |
Knowledge |
62 | Knowledge of industry-standard and organizationally accepted analysis principles and methods. |
Knowledge |
65A | Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression). |
Knowledge |
69A | Knowledge of risk management processes and requirements per the Risk Management Framework (RMF). |
Knowledge |
75 | Knowledge of mathematics, including logarithms, trigonometry, linear algebra, calculus, and statistics. |
Knowledge |
78 | Knowledge of microprocessors. |
Knowledge |
79 | Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]). |
Knowledge |
81A | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. |
Knowledge |
82A | Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs. |
Knowledge |
90 | Knowledge of operating systems. |
Knowledge |
92 | Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). |
Knowledge |
94 | Knowledge of parallel and distributed computing concepts. |
Knowledge |
109A | Knowledge of configuration management techniques. |
Knowledge |
110 | Knowledge of key concepts in security management (e.g., Release Management, Patch Management). |
Knowledge |
111A | Ability to apply secure system design tools, methods and techniques. |
Ability |
113A | Knowledge of N-tiered typologies including server and client operating systems. |
Knowledge |
119 | Knowledge of software engineering. |
Knowledge |
124A | Ability to apply system design tools, methods, and techniques, including automated systems analysis and design tools. |
Ability |
130 | Knowledge of systems testing and evaluation methods. |
Knowledge |
132 | Knowledge of technology integration processes. |
Knowledge |
133 | Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers). |
Knowledge |
141A | Knowledge of the enterprise information technology (IT) architectural concepts and patterns to include baseline and target architectures. |
Knowledge |
144 | Knowledge of the systems engineering process. |
Knowledge |
155 | Skill in applying and incorporating information technologies into proposed solutions. |
Skill |
180 | Skill in designing the integration of hardware and software solutions. |
Skill |
224 | Skill in design modeling and building use cases (e.g., unified modeling language). |
Skill |
238A | Skill in writing code in a currently supported programming language (e.g., Java, C++). |
Skill |
413A | Analyze user needs and requirements to plan architecture. |
Task |
465 | Develop threat model based on customer interviews and requirements. |
Task |
483 | Define and prioritize essential system capabilities or business functions required for partial or full system restoration after a catastrophic failure event. |
Task |
484 | Define appropriate levels of system availability based on critical system functions and ensure system requirements identify appropriate disaster recovery and continuity of operations requirements to include any appropriate fail-over/alternate site requirements, backup requirements, and material supportability requirements for system recover/restoration. |
Task |
502A | Develop enterprise architecture or system components required to meet user needs. |
Task |
525A | Develop procedures and test fail-over for system operations transfer to an alternate site based on system availability requirements. |
Task |
569A | Document and update as necessary all definition and architecture activities. |
Task |
602 | Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration. |
Task |
669 | Integrate and align information security and/or cybersecurity policies to ensure system analysis meets security requirements. |
Task |
797 | Provide advice on project costs, design concepts, or design changes. |
Task |
807 | Provide input on security requirements to be included in statements of work and other appropriate procurement documents. |
Task |
809 | Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). |
Task |
864A | Translate proposed capabilities into technical requirements. |
Task |
865 | Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria. |
Task |
936 | Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers). |
Task |
993A | Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization’s enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]). |
Ability |
996A | Assess and design security management functions as related to cyberspace. |
Task |
1034C | Knowledge of Personal Health Information (PHI) data security standards. |
Knowledge |
1034B | Knowledge of Payment Card Industry (PCI) data security standards. |
Knowledge |
1034A | Knowledge of Personally Identifiable Information (PII) data security standards. |
Knowledge |
1037B | Knowledge of program protection planning to include information technology (IT) supply chain security/risk management policies, anti-tampering techniques, and requirements. |
Knowledge |
1038 | Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability. |
Knowledge |
1038B | Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability). |
Knowledge |
1073 | Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. |
Knowledge |
1125 | Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration. |
Knowledge |
1130 | Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions). |
Knowledge |
1133 | Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]). |
Knowledge |
1135 | Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing). |
Knowledge |
1136A | Knowledge of use cases related to collaboration and content synchronization across platforms (e.g., Mobile, PC, Cloud). |
Knowledge |
1140A | Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic). |
Skill |
1141A | Knowledge of an organization’s information classification program and procedures for information compromise. |
Knowledge |
1142B | Skill in applying security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). |
Skill |
1147A | Develop data management capabilities (e.g., cloud based, centralized cryptographic key management) to include support to the mobile workforce. |
Task |
2014 | Analyze candidate architectures, allocate security services, and select security mechanisms. |
Task |
2887 | Write detailed functional specifications that document the architecture development process. |
Task |
3153 | Knowledge of circuit analysis. |
Knowledge |
3246 | Knowledge of confidentiality, integrity, and availability requirements. |
Knowledge |
3642 | Knowledge of various types of computer architectures. |
Knowledge |
6150 | Ability to optimize systems to meet enterprise performance requirements. |
Ability |
6210 | Knowledge of cloud service models and possible limitations for an incident response. |
Knowledge |
6330 | Knowledge of multi-level/security cross domain solutions. |
Knowledge |
6640 | Skill in designing multi-level security/cross domain solutions. |
Skill |
6680 | Skill in the use of design methods. |
Skill |
6918 | Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments. |
Ability |
6919 | Ability to determine the best cloud deployment model for the appropriate operating environment. |
Ability |
6942 | Skill in designing or implementing cloud computing deployment models. |
Skill |
6945 | Skill in migrating workloads to, from, and among the different cloud computing service models. |
Skill |
Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST 800-37).
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
19 | Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities. |
Knowledge |
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
40 | Knowledge of organization’s evaluation and validation requirements. |
Knowledge |
55 | Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data. |
Knowledge |
58 | Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins. |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
70 | Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). |
Knowledge |
77 | Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities. |
Knowledge |
105 | Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
183 | Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. |
Skill |
197 | Skill in discerning the protection needs (i.e., security controls) of information systems and networks. |
Skill |
537 | Develop methods to monitor and measure risk, compliance, and assurance efforts. |
Task |
548 | Develop specifications to ensure risk, compliance, and assurance efforts conform with security, resilience, and dependability requirements at the software application, system, and network environment level. |
Task |
566 | Draft statements of preliminary or residual security risks for system operation. |
Task |
691 | Maintain information systems assurance and accreditation materials. |
Task |
710 | Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements. |
Task |
1040A | Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure. |
Knowledge |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
3B | Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks. |
Skill |
27 | Knowledge of cryptography and cryptographic key management concepts. |
Knowledge |
38 | Knowledge of organization’s enterprise information security architecture system. |
Knowledge |
43A | Knowledge of embedded systems. |
Knowledge |
53A | Knowledge of security risk assessments and authorization per Risk Management Framework processes. |
Knowledge |
69A | Knowledge of risk management processes and requirements per the Risk Management Framework (RMF). |
Knowledge |
88 | Knowledge of new and emerging information technology (IT) and cybersecurity technologies. |
Knowledge |
88A | Knowledge of current and emerging cyber technologies. |
Knowledge |
95B | Knowledge of penetration testing principles, tools, and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems). |
Knowledge |
121 | Knowledge of structured analysis principles and methods. |
Knowledge |
128 | Knowledge of systems diagnostic tools and fault identification techniques. |
Knowledge |
143 | Knowledge of the organization’s enterprise information technology (IT) goals and objectives. |
Knowledge |
156 | Skill in applying confidentiality, integrity, and availability principles. |
Skill |
203 | Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system. |
Skill |
417 | Apply coding and testing standards, apply security testing tools including “‘fuzzing” static-analysis code scanning tools, and conduct code reviews. |
Task |
457 | Conduct Privacy Impact Assessments (PIA) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII). |
Task |
772 | Perform validation steps, comparing actual results with expected results and analyze the differences to identify impact and risks. |
Task |
775 | Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks. |
Task |
798 | Provide an accurate technical evaluation of the software application, system, or network, documenting the security posture, capabilities, and vulnerabilities against relevant cybersecurity compliances. |
Task |
827 | Recommend new or revised security, resilience, and dependability measures based on the results of reviews. |
Task |
836B | Review and approve security and privacy assessment plans. |
Task |
836 | Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network. |
Task |
878 | Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations. |
Task |
879 | Verify that the software application/network/system accreditation and assurance documentation is current. |
Task |
936 | Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers). |
Task |
942 | Knowledge of the organization’s core business/mission processes. |
Knowledge |
1034A | Knowledge of Personally Identifiable Information (PII) data security standards. |
Knowledge |
1034B | Knowledge of Payment Card Industry (PCI) data security standards. |
Knowledge |
1034C | Knowledge of Personal Health Information (PHI) data security standards. |
Knowledge |
1036 | Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed. |
Knowledge |
1037 | Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures. |
Knowledge |
1038B | Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability). |
Knowledge |
1039 | Skill in evaluating the trustworthiness of the supplier and/or product. |
Skill |
1131 | Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]). |
Knowledge |
1141A | Knowledge of an organization’s information classification program and procedures for information compromise. |
Knowledge |
1142 | Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). |
Knowledge |
1146 | Develop and Implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity requirements and accurately followed by Systems Administrators and other cybersecurity staff when performing their day-to-day activities. |
Task |
Performs assessments of systems and networks within the NE or enclave and identifies where those systems/networks deviate from acceptable configurations, enclave policy, or local policy. Measures effectiveness of defense-in-depth architecture against known vulnerabilities.
Core KSATs
KSAT ID | Description | KSAT |
---|---|---|
10 | Knowledge of application vulnerabilities. |
Knowledge |
10A | Skill in conducting application vulnerability assessments. |
Skill |
22 | * Knowledge of computer networking concepts and protocols, and network security methodologies. |
Knowledge |
92 | Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). |
Knowledge |
105 | Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). |
Knowledge |
108 | * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). |
Knowledge |
150 | Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities. |
Knowledge |
692 | Maintain knowledge of applicable cyber defense policies, regulations, and compliance documents specifically related to cyber defense auditing. |
Task |
784 | Prepare audit reports that identify technical and procedural findings, and provide recommended remediation strategies/solutions. |
Task |
1072 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). |
Knowledge |
1157 | * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. |
Knowledge |
1158 | * Knowledge of cybersecurity principles. |
Knowledge |
1159 | * Knowledge of cyber threats and vulnerabilities. |
Knowledge |
6900 | * Knowledge of specific operational impacts of cybersecurity lapses. |
Knowledge |
6935 | * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). |
Knowledge |
6938 | * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. |
Knowledge |
Additional KSATs
KSAT ID | Description | KSAT |
---|---|---|
3B | Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks. |
Skill |
4 | Ability to identify systemic security issues based on the analysis of vulnerability and configuration data. |
Ability |
27 | Knowledge of cryptography and cryptographic key management concepts. |
Knowledge |
27B | Skill in assessing the application of cryptographic standards. |
Skill |
29 | Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools. |
Knowledge |
49 | Knowledge of host/network access control mechanisms (e.g., access control list). |
Knowledge |
63 | Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). |
Knowledge |
79 | Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]). |
Knowledge |
81A | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. |
Knowledge |
95B | Knowledge of penetration testing principles, tools, and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems). |
Knowledge |
102A | Ability to apply programming language structures (e.g., source code review) and logic. |
Ability |
102 | Knowledge of programming language structures and logic. |
Knowledge |
128 | Knowledge of systems diagnostic tools and fault identification techniques. |
Knowledge |
160 | Skill in assessing the robustness of security systems and designs. |
Skill |
181A | Skill in detecting host and network based intrusions via intrusion detection technologies. |
Skill |
210 | Skill in mimicking threat behaviors. |
Skill |
214B | Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump). |
Knowledge |
225A | Skill in the use of penetration testing tools and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems). |
Skill |
226 | Skill in the use of social engineering techniques. |
Skill |
411A | Analyze organization’s cybersecurity policies and configurations and evaluate compliance with regulations and organizational directives. |
Task |
448 | Conduct and/or support authorized penetration testing on enterprise network assets. |
Task |
685A | Maintain deployable cybersecurity audit toolkit (e.g., specialized cyber defense software and hardware) to support cybersecurity audit missions. |
Task |
801B | Knowledge of threat and risk assessment. |
Knowledge |
897A | Skill in performing impact/risk assessments. |
Skill |
904 | Knowledge of interpreted and compiled computer languages. |
Knowledge |
922B | Skill in using network analysis tools, including specialized tools for non-traditional systems and networks (e.g., control systems), to identify vulnerabilities. |
Skill |
939 | Conduct required reviews as appropriate within environment (e.g., Technical Surveillance, Countermeasure Reviews [TSCM], TEMPEST countermeasure reviews). |
Task |
940B | Perform technical (evaluation of technology) and non-technical (evaluation of people and operations) risk and vulnerability assessments of relevant technology focus areas (e.g., local computing environment, network and infrastructure, control system and operational environments, enclave boundary, supporting infrastructure, and applications). |
Task |
941A | Make recommendations regarding the selection of cost-effective security controls to mitigate risk (e.g., protection of information, systems and processes). |
Task |
991 | Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution). |
Knowledge |
992C | Knowledge of threat environments (e.g., first generation threat actors, threat activities). |
Knowledge |
992B | Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored). |
Knowledge |
1033 | Knowledge of basic system administration, network, and operating system hardening techniques. |
Knowledge |
1038A | Knowledge of infrastructure supporting information technology (IT) for safety, performance, and reliability. |
Knowledge |
1069 | Knowledge of general attack stages (e.g., foot printing and scanning, enumeration, gaining access, escalation or privileges, maintaining access, network exploitation, covering tracks). |
Knowledge |
1141A | Knowledge of an organization’s information classification program and procedures for information compromise. |
Knowledge |
1142 | Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). |
Knowledge |
3150 | Knowledge of ethical hacking principles and techniques. |
Knowledge |
3222 | Knowledge of data backup and restoration concepts. |
Knowledge |
3513 | Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems. |
Knowledge |
6210 | Knowledge of cloud service models and possible limitations for an incident response. |
Knowledge |
6660 | Skill in reviewing logs to identify evidence of past intrusions. |
Skill |
6918 | Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments. |
Ability |