Cybersecurity

Cybersecurity

Personnel who secure, defend, and preserve data, networks, net-centric capabilities, and other designated systems by ensuring appropriate security controls and measures are in place, and taking internal defense actions. This includes access to system controls, monitoring, administration, and integration of cybersecurity into all aspects of engineering and acquisition of cyberspace capabilities.



Below are the associated Work Roles. Click the arrow to expand/collapse the Work Role information and view the associated Core and Additional KSATs (Knowledge, Skills, Abilties, and Tasks). Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role. Click on the other blue links to further explore the information.
Authorizing Official/Designating Representative Work Role ID: 611 (NIST: SP-RM-001) Workforce Element: Cybersecurity

Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation (CNSSI 4009).

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
38

Knowledge of organization’s enterprise information security architecture system.

Knowledge
53

Knowledge of the Security Assessment and Authorization process.

Knowledge
55

Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data.

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
69

Knowledge of Risk Management Framework (RMF) requirements.

Knowledge
77

Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.

Knowledge
88

Knowledge of new and emerging information technology (IT) and cybersecurity technologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
121

Knowledge of structured analysis principles and methods.

Knowledge
156A

Knowledge of confidentiality, integrity, and availability principles.

Knowledge
197

Skill in discerning the protection needs (i.e., security controls) of information systems and networks.

Skill
1034A

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge
1037

Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.

Knowledge
1040A

Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure.

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
5320

Establish acceptable limits for the software application, network, or system.

Task
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
19

Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.

Knowledge
27

Knowledge of cryptography and cryptographic key management concepts.

Knowledge
40

Knowledge of organization’s evaluation and validation requirements.

Knowledge
43A

Knowledge of embedded systems.

Knowledge
58

Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.

Knowledge
70

Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).

Knowledge
95A

Knowledge of penetration testing principles, tools, and techniques.

Knowledge
98

Knowledge of policy-based and risk adaptive access controls.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
128

Knowledge of systems diagnostic tools and fault identification techniques.

Knowledge
143

Knowledge of the organization’s enterprise information technology (IT) goals and objectives.

Knowledge
177B

Knowledge of countermeasures for identified security risks.

Knowledge
179

Skill in designing security controls based on cybersecurity principles and tenets.

Skill
325

Knowledge of secure acquisitions (e.g., relevant Contracting Officer’s Technical Representative [COTR] duties, secure procurement, supply chain risk management).

Knowledge
600

Evaluate cost benefit, economic, and risk analysis in decision making process.

Task
696C

Manage authorization packages.

Task
696B

Authorizing Official only: Approve authorization packages.

Task
710

Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements.

Task
801A

Provide enterprise cybersecurity and supply chain risk management guidance.

Task
836A

Authorizing Official only: Determine if the security and privacy risk from operating a system or using a system, service, or application from an external provider is acceptable.

Task
942

Knowledge of the organization’s core business/mission processes.

Knowledge
952

Knowledge of emerging security issues, risks, and vulnerabilities.

Knowledge
965

Knowledge of organization’s risk tolerance and/or risk management approach.

Knowledge
979

Knowledge of supply chain risk management standards, processes, and practices.

Knowledge
1034B

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge
1034C

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge
1036

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge
1037A

Knowledge of information technology (IT) risk management policies, requirements, and procedures.

Knowledge
1038

Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability.

Knowledge
1131

Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).

Knowledge
1142

Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).

Knowledge
1146

Develop and Implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity requirements and accurately followed by Systems Administrators and other cybersecurity staff when performing their day-to-day activities.

Task
1157A

Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity and AI.

Knowledge
3591

Knowledge of organization objectives, leadership priorities, and decision-making risks.

Knowledge
5824

Authorizing Official only: Approve security and privacy assessment plans for systems and environments of operation.

Task
5837

Respond to threats and vulnerabilities based on the results of ongoing/continuous monitoring activities and risk assessments and decide if risk remains acceptable.

Task
5838

Review and approve security categorization results for systems.

Task
5839

Review security and privacy assessment plans for systems and environments of operation.

Task
6931

Knowledge of methods and techniques for analyzing risk.

Knowledge
6936

Knowledge of types of authorizations.

Knowledge
5827

Determine the authorization boundaries of systems.

Task
COMSEC Manager Work Role ID: 723 (NIST: OV-MG-002) Workforce Element: Cybersecurity

Manages the Communications Security (COMSEC) resources of an organization (CNSSI No. 4009).

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
25

Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).

Knowledge
37

Knowledge of disaster recovery continuity of operations plans.

Knowledge
55

Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data.

Knowledge
61

Knowledge of incident response and handling methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
395

Advise senior management (e.g., CIO) on risk levels and security posture.

Task
578

Ensure security improvement actions are evaluated, validated, and implemented as required.

Task
824

Recognize a possible security violation and take appropriate action to report the incident, as required.

Task
852

Supervise or manage protective or corrective measures when an cybersecurity incident or vulnerability is discovered.

Task
1141A

Knowledge of an organization’s information classification program and procedures for information compromise.

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
129

Knowledge of system life cycle management principles, including software security and usability.

Knowledge
143

Knowledge of the organization’s enterprise information technology (IT) goals and objectives.

Knowledge
183

Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.

Skill
299

Knowledge of information security program management and project management principles and techniques.

Knowledge
325

Knowledge of secure acquisitions (e.g., relevant Contracting Officer’s Technical Representative [COTR] duties, secure procurement, supply chain risk management).

Knowledge
396

Advise senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, and systems, and elements.

Task
445

Communicate the value of information technology (IT) security throughout all levels of the organization stakeholders.

Task
475

Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance.

Task
596

Establish overall enterprise information security architecture (EISA) with the organization’s overall security strategy.

Task
600

Evaluate cost benefit, economic, and risk analysis in decision making process.

Task
1004

Knowledge of critical information technology (IT) procurement requirements.

Knowledge
1040A

Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure.

Knowledge
Control Systems Security Specialist Work Role ID: 462 (NIST: N/A) Workforce Element: Cybersecurity

Responsible for device, equipment, and system-level cybersecurity configuration and day-to-day security operations of control systems, including security monitoring and maintenance along with stakeholder coordination to ensure the system and its interconnections are secure in support of mission operations.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
79

Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).

Knowledge
106

Knowledge of remote access technology concepts.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
708A

Mitigate/correct security deficiencies identified during security/certification testing and/or recommend risk acceptance for the appropriate senior leader or authorized representative.

Task
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
3277

Knowledge of general SCADA system components.

Knowledge
3740

Skill in determining installed patches on various operating systems and identifying patch signatures.

Skill
5823

Apply updates, patches, and security technical implementation while maintaining control system performance and availability requirements.

Task
5829

Establish and maintain security configuration baseline for the control system(s), including field devices, IT components, interconnections, and interfaces.

Task
5830

Implement Risk Management Framework (RMF) Assessment requirements for control systems, and document/maintain records for them.

Task
5831

Maintain knowledge of the function and security of control system and IT technologies with which the control systems interface.

Task
5832

Maintain network segmentation to isolate control systems from business networks and other external connections as directed.

Task
5836

Perform asset management and maintain inventory of control system devices and components through physical inspection or logical scans.

Task
5840

Support risk assessments by reviewing and documenting the implementation status of security requirements of control systems.

Task
6929

Knowledge of control system technologies, such as Programmable Logic Controllers (PLCs), Supervisory Control and Data Acquisition (SCADA) software, Distributed Control Systems (DCS) and Operational Technology (OT).

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6927

Knowledge of control system environment risks, threats and vulnerabilities.

Knowledge
6933

Knowledge of risk management processes specific to control systems.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge
6940

Skill in applying security and managing risk in resource-constrained systems and networks.

Skill
6941

Skill in architecting compensating security controls to reduce risk for control systems and control system components that do not have adequate or compliant security capabilities.

Skill
6946

Skill in securing control system communication protocols (e.g., IP/TCP, SSL/TLS, MODBUS/DNP3/PROFINET SCADA, GOOSE) and media used for field device control.

Skill

Additional KSATs

KSAT ID Description KSAT
3A

Skill in recognizing vulnerabilities in security systems.

Skill
43A

Knowledge of embedded systems.

Knowledge
69A

Knowledge of risk management processes and requirements per the Risk Management Framework (RMF).

Knowledge
88A

Knowledge of current and emerging cyber technologies.

Knowledge
342A

Knowledge of operating system command line/prompt.

Knowledge
809

Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).

Task
3353

Knowledge of the Risk Management Framework Assessment Methodology.

Knowledge
5821

Act as a liaison between facility operations/engineer teams and IT or network security teams to coordinate security activities.

Task
5822

Apply tailored organizational security policies and procedures for control system environments to maintain security, but also to ensure system availability.

Task
5826

Consult on control system security matters (e.g., risk assessment, configuration management) as needed.

Task
5828

Ensure configuration and collection of control system audit logs for monitoring and forensic analysis as appropriate.

Task
5833

Off-load and review control system audit logs and review for anomalies.

Task
5834

Participate in control system change management in conjunction with IT personnel and control system experts (e.g., system supplier).

Task
5835

Participate in control system incident and disaster response, including secure system recovery.

Task
6928

Knowledge of control system performance and availability requirements.

Knowledge
6934

Knowledge of RMF assessment types (e.g., Assess & Authorize (A&A), Assess Only) and authorization boundaries (e.g., Closed Restricted Network (CRN), Stand-alone Information System (SIS)).

Knowledge
6937

Knowledge of what “normal” control system operations for specific mission/business functions look like.

Knowledge
6939

Skill in active and passive methods to safely gather information and conduct vulnerability and network analysis scans in control system environments.

Skill
6943

Skill in identifying and investigating “abnormal” control system operations based on what specific mission/business functions look like.

Skill
Cyber Defense Analyst Work Role ID: 511 (NIST: PR-DA-001) Workforce Element: Cybersecurity

Uses data collected from a variety of cyber defense tools (e.g., IDS alerts, firewalls, network traffic logs.) to analyze events that occur within their environments for the purposes of mitigating threats.

Core KSATs

KSAT ID Description KSAT
19

Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.

Knowledge
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
59A

Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.

Knowledge
66

Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.

Knowledge
70

Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
87

Knowledge of network traffic analysis methods.

Knowledge
92

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
150

Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.

Knowledge
214A

Skill in performing packet-level analysis.

Skill
353

Skill in collecting data from a variety of cyber defense resources.

Skill
433

Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources.

Task
472

Coordinate with enterprise-wide cyber defense staff to validate network alerts.

Task
723

Document and escalate incidents (including event’s history, status, and potential impact for further action) that may cause ongoing and immediate impact to the environment.

Task
745

Perform cyber defense trend analysis and reporting.

Task
750

Perform event correlation using information gathered from a variety of sources within the enterprise to gain situational awareness and determine the effectiveness of an observed attack.

Task
767

Perform security reviews and identify security gaps in security architecture resulting in recommendations for the inclusion into the risk mitigation strategy.

Task
800

Provide daily summary reports of network events and activity relevant to cyber defense practices.

Task
823

Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.

Task
895

Skill in recognizing and categorizing types of vulnerabilities and associated attacks.

Skill
922A

Knowledge of how to use network analysis tools to identify vulnerabilities.

Knowledge
956

Provide timely detection, identification, and alerting of possible attacks/intrusions, anomalous activities, and misuse activities and distinguish these incidents and events from benign activities.

Task
958

Use cyber defense tools for continual monitoring and analysis of system activity to identify malicious activity.

Task
959

Analyze identified malicious activity to determine weaknesses exploited, exploitation methods, effects on system and information.

Task
984

Knowledge of cyber defense policies, procedures, and regulations.

Knowledge
990

Knowledge of the common attack vectors on the network layer.

Knowledge
991

Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).

Knowledge
1069A

Knowledge of general kill chain (e.g., footprinting and scanning, enumeration, gaining access, escalation of privileges, maintaining access, network exploitation, covering tracks).

Knowledge
1107

Identify and analyze anomalies in network traffic using metadata (e.g., CENTAUR).

Task
1108

Conduct research, analysis, and correlation across a wide variety of all source data sets (indications and warnings).

Task
1111

Identify applications and operating systems of a network device based on network traffic.

Task
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
3C

Skill in recognizing vulnerabilities in information and/or data systems.

Skill
8

Knowledge of authentication, authorization, and access control methods.

Knowledge
21

Knowledge of computer algorithms.

Knowledge
25

Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).

Knowledge
27

Knowledge of cryptography and cryptographic key management concepts.

Knowledge
34

Knowledge of database systems.

Knowledge
43A

Knowledge of embedded systems.

Knowledge
49

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge
58

Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.

Knowledge
61

Knowledge of incident response and handling methodologies.

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
75C

Skill in conducting trend analysis.

Skill
79

Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).

Knowledge
88A

Knowledge of current and emerging cyber technologies.

Knowledge
90

Knowledge of operating systems.

Knowledge
95A

Knowledge of penetration testing principles, tools, and techniques.

Knowledge
98

Knowledge of policy-based and risk adaptive access controls.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
110

Knowledge of key concepts in security management (e.g., Release Management, Patch Management).

Knowledge
111

Knowledge of security system design tools, methods, and techniques.

Knowledge
130A

Knowledge of systems security testing and evaluation methods.

Knowledge
133

Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).

Knowledge
138

Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization.

Knowledge
139

Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.

Knowledge
148

Knowledge of Virtual Private Network (VPN) security.

Knowledge
175

Skill in developing and deploying signatures.

Skill
177B

Knowledge of countermeasures for identified security risks.

Knowledge
179A

Skill in assessing security controls based on cybersecurity principles and tenets.

Skill
181A

Skill in detecting host and network based intrusions via intrusion detection technologies.

Skill
183

Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.

Skill
199

Skill in evaluating the adequacy of security designs.

Skill
212A

Knowledge of network mapping and recreating network topologies.

Knowledge
229

Skill in using incident handling methodologies.

Skill
233

Skill in using protocol analyzers.

Skill
234B

Knowledge of the use of sub-netting tools.

Knowledge
270

Knowledge of common adversary tactics, techniques, and procedures in assigned area of responsibility (i.e., historical country-specific tactics, techniques, and procedures; emerging capabilities).

Knowledge
271

Knowledge of common network tools (e.g., ping, traceroute, nslookup).

Knowledge
277

Knowledge of defense-in-depth principles and network security architecture.

Knowledge
278

Knowledge of different types of network communication (e.g., LAN, WAN, MAN, WLAN, WWAN).

Knowledge
286

Knowledge of file extensions (e.g., .dll, .bat, .zip, .pcap, .gzip).

Knowledge
342A

Knowledge of operating system command line/prompt.

Knowledge
427

Develop content for cyber defense tools.

Task
559B

Analyze and report system security posture trends.

Task
559A

Analyze and report organizational security posture trends.

Task
576

Ensure cybersecurity-enabled products or other compensating security control technologies reduce identified risk to an acceptable level.

Task
593A

Assess adequate access controls based on principles of least privilege and need-to-know.

Task
716A

Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.

Task
717A

Assess and monitor cybersecurity related to system implementation and testing practices.

Task
782

Plan and recommend modifications or adjustments based on exercise results or system environment.

Task
806A

Provides cybersecurity recommendations to leadership based on significant threats and vulnerabilities.

Task
880A

Work with stakeholders to resolve computer security incidents and vulnerability compliance.

Task
904

Knowledge of interpreted and compiled computer languages.

Knowledge
912

Knowledge of collection management processes, capabilities, and limitations.

Knowledge
915

Knowledge of front-end collection systems, including traffic collection, filtering, and selection.

Knowledge
922B

Skill in using network analysis tools, including specialized tools for non-traditional systems and networks (e.g., control systems), to identify vulnerabilities.​

Skill
938A

Provide advice and input for Disaster Recovery, Contingency, and Continuity of Operations Plans.

Task
992C

Knowledge of threat environments (e.g., first generation threat actors, threat activities).

Knowledge
1033

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge
1034C

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge
1034B

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge
1034A

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge
1036

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1073

Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.

Knowledge
1103

Determine tactics, techniques, and procedures (TTPs) for intrusion sets.

Task
1104

Examine network topologies to understand data flows through the network.

Task
1105

Recommend computing environment vulnerability corrections.

Task
1109

Validate intrusion detection system (IDS) alerts against network traffic using packet analysis tools.

Task
1110

Isolate and remove malware.

Task
1111

Identify applications and operating systems of a network device based on network traffic.

Task
1112

Reconstruct a malicious attack or activity based off network traffic.

Task
1113

Identify network mapping and operating system (OS) fingerprinting activities.

Task
1114

Knowledge of encryption methodologies.

Knowledge
1118

Skill in reading and interpreting signatures (e.g., snort).

Skill
1119

Knowledge of signature implementation impact.

Knowledge
1120

Ability to interpret and incorporate data from multiple tool sources.

Ability
1121

Knowledge of Windows/Unix ports and services.

Knowledge
1142

Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).

Knowledge
2062

Assist in the construction of signatures which can be implemented on cyber defense network tools in response to new or observed threats within the NE or enclave.

Task
2611

Notify designated managers, cyber incident responders, and cybersecurity service provider team members of suspected cyber incidents and articulate the event’s history, status, and potential impact for further action in accordance with the organization’s cyber incident response plan.

Task
3007

Ability to analyze malware.

Ability
3431

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

Knowledge
3461

Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities.

Knowledge
6210

Knowledge of cloud service models and possible limitations for an incident response.

Knowledge
Cyber Defense Forensics Analyst Work Role ID: 212 (NIST: IN-FO-002) Workforce Element: Cybersecurity

Analyzes digital evidence and investigates computer security incidents to derive useful information in support of system/network vulnerability mitigation.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
24A

Knowledge of basic concepts and practices of processing digital forensic data.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
217

Skill in preserving evidence integrity according to standard operating procedures or national standards.

Skill
302

Knowledge of investigative implications of hardware, Operating Systems, and network technologies.

Knowledge
350

Skill in analyzing memory dumps to extract information.

Skill
381

Skill in using forensic tool suites (e.g., EnCase, Sleuthkit, FTK).

Skill
438A

Collect and analyze intrusion artifacts (e.g., source code, malware, and system configuration) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.

Task
447

Conduct analysis of log files, evidence, and other information in order to determine best methods for identifying the perpetrator(s) of a network intrusion.

Task
463

Confirm what is known about an intrusion and discover new information, if possible, after identifying intrusion via dynamic analysis.

Task
541

Provide technical summary of findings in accordance with established reporting procedures.

Task
613

Examine recovered data for information of relevance to the issue at hand.

Task
752

Perform file signature analysis.

Task
890

Skill in conducting forensic analyses in multiple operating system environments (e.g., mobile device systems).

Skill
1082

Perform file system forensic analysis.

Task
1086

Knowledge of data carving tools and techniques (e.g., Foremost).

Knowledge
1087

Skill in deep analysis of captured malicious code (e.g., malware forensics).

Skill
1088

Skill in using binary analysis tools (e.g., Hexedit, command code xxd, hexdump).

Skill
1089

Knowledge of reverse engineering concepts.

Knowledge
1092

Knowledge of anti-forensics tactics, techniques, and procedures.

Knowledge
1096

Knowledge of malware analysis tools (e.g., Oily Debug, Ida Pro).

Knowledge
1098

Skill in analyzing anomalous code as malicious or benign.

Skill
1099

Skill in analyzing volatile data.

Skill
1100

Skill in identifying obfuscation techniques.

Skill
1101

Skill in interpreting results of debugger to ascertain tactics, techniques, and procedures.

Skill
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6810

Knowledge of binary analysis.

Knowledge
6850

Skill in analyzing malware.

Skill
6860

Skill in conducting bit-level analysis.

Skill
6870

Skill in processing digital evidence, to include protecting and making legally sound copies of evidence.

Skill
6890

Ability to conduct forensic analyses in and for both Windows and Unix/Linux environments.

Ability
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
25

Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).

Knowledge
29

Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.

Knowledge
61

Knowledge of incident response and handling methodologies.

Knowledge
90

Knowledge of operating systems.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
113

Knowledge of server and client operating systems.

Knowledge
114

Knowledge of server diagnostic tools and fault identification techniques.

Knowledge
139

Knowledge of the common networking protocols (e.g., TCP/IP), services (e.g., web, mail, Domain Name Server), and how they interact to provide network communications.

Knowledge
193

Skill in developing, testing, and implementing network infrastructure contingency and recovery plans.

Skill
214A

Skill in performing packet-level analysis.

Skill
264

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge
287

Knowledge of file system implementations (e.g., New Technology File System [NTFS], File Allocation Table [FAT], File Extension [EXT]).

Knowledge
290

Knowledge of processes for seizing and preserving digital evidence (e.g., chain of custody).

Knowledge
294

Knowledge of hacking methodologies in Windows or Unix/Linux environment.

Knowledge
310

Knowledge of legal governance related to admissibility (e.g., Federal Rules of Evidence).

Knowledge
316

Knowledge of processes for collecting, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.

Knowledge
340

Knowledge of types and collection of persistent data.

Knowledge
345

Knowledge of web mail collection, searching/analyzing techniques, tools, and cookies.

Knowledge
346

Knowledge of which system files (e.g., log files, registry files, configuration files) contain relevant information and where to find those system files.

Knowledge
360

Skill in identifying and extracting data of forensic interest in diverse media (i.e., media forensics).

Skill
364

Skill in identifying, modifying, and manipulating applicable system components within Windows, Unix, or Linux (e.g., passwords, user accounts, files).

Skill
369

Skill in collecting, processing, packaging, transporting, and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data.

Skill
374

Skill in setting up a forensic workstation.

Skill
386

Skill in using virtual machines.

Skill
389

Skill in physically disassembling PCs.

Skill
480

Create a forensically sound duplicate of the evidence (i.e., forensic image) that ensures the original evidence is not unintentionally modified, to use for data recovery and analysis processes. This includes, but is not limited to, hard drives, floppy diskettes, CD, PDA, mobile phones, GPS, and all tape formats.

Task
482

Decrypt seized data using technical means.

Task
573

Ensure chain of custody is followed for all digital media acquired in accordance with the Federal Rules of Evidence.

Task
636

Identify digital evidence for examination and analysis in such a way as to avoid unintentional alteration.

Task
749

Perform dynamic analysis to boot an “image” of a drive (without necessarily having the original drive) to see the intrusion as the user may have seen it, in a native environment.

Task
753

Perform hash comparison against established database.

Task
758

Perform real-time forensic analysis (e.g., using Helix in conjunction with LiveView).

Task
759

Perform timeline analysis.

Task
762

Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs).

Task
768

Perform static media analysis.

Task
771

Perform tier 1, 2, and 3 malware analysis.

Task
786

Prepare digital media for imaging by ensuring data integrity (e.g., write blockers in accordance with standard operating procedures).

Task
817

Provide technical assistance on digital evidence matters to appropriate personnel.

Task
825

Recognize and accurately report forensic artifacts indicative of a particular operating system.

Task
839A

Review forensic images and other data sources (e.g., volatile data) for recovery of potentially relevant information.

Task
868A

Use data carving techniques (e.g., FTK-Foremost) to extract data for further analysis.

Task
870

Capture and analyze network traffic associated with malicious activities using network monitoring tools.

Task
871

Use specialized equipment and techniques to catalog, document, extract, collect, package, and preserve digital evidence.

Task
882A

Write and publish cyber defense recommendations, reports, and white papers on incident findings to appropriate constituencies.

Task
888

Knowledge of types of digital forensics data and how to recognize them.

Knowledge
889

Knowledge of deployable forensics.

Knowledge
908

Ability to decrypt digital data collections.

Ability
923

Knowledge of security event correlation tools.

Knowledge
944

Conduct cursory binary analysis.

Task
983

Knowledge of legal rules of evidence and court procedure.

Knowledge
1031

Serve as technical expert and liaison to law enforcement personnel and explain incident details as required.

Task
1033

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge
1036

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1081

Perform virus scanning on digital media.

Task
1083

Perform static analysis to mount an “image” of a drive (without necessarily having the original drive).

Task
1084

Perform static malware analysis.

Task
1085

Utilize deployable forensics tool kit to support operations as necessary.

Task
1091

Skill in one way hash functions (e.g., Secure Hash Algorithm [SHA], Message Digest Algorithm [MD5]).

Skill
1093

Knowledge of common forensics tool configuration and support applications (e.g., VMWare, WIRESHARK).

Knowledge
1094

Knowledge of debugging procedures and tools.

Knowledge
1095

Knowledge of how different file types can be used for anomalous behavior.

Knowledge
1097

Knowledge of virtual machine aware malware, debugger aware malware, and packing.

Knowledge
2179

Coordinate with intelligence analysts to correlate threat assessment data.

Task
3461

Knowledge of relevant laws, legal authorities, restrictions, and regulations pertaining to cyber defense activities.

Knowledge
3513

Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.

Knowledge
5690

Process image with appropriate tools depending on analyst’s goals.

Task
5700

Perform Windows registry analysis.

Task
5720

Perform file and registry monitoring on the running system after identifying intrusion via dynamic analysis.

Task
5730

Enter media information into tracking database (e.g. Product Tracker Tool) for digital media that has been acquired.

Task
5740

Correlate incident data and perform cyber defense reporting.

Task
5760

Maintain deployable cyber defense toolkit (e.g. specialized cyber defense software/hardware) to support IRT mission.

Task
6210

Knowledge of cloud service models and possible limitations for an incident response.

Knowledge
6820

Knowledge of network architecture concepts including topology, protocols, and components.

Knowledge
Cyber Defense Incident Responder Work Role ID: 531 (NIST: PR-IR-001) Workforce Element: Cybersecurity

Investigates, analyzes, and responds to cyber incidents within the network environment or enclave.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
37

Knowledge of disaster recovery continuity of operations plans.

Knowledge
50

Knowledge of how network services and protocols interact to provide network communications.

Knowledge
60

Knowledge of incident categories, incident responses, and timelines for responses.

Knowledge
61

Knowledge of incident response and handling methodologies.

Knowledge
66

Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
150

Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.

Knowledge
153

Skill of identifying, capturing, containing, and reporting malware.

Skill
217

Skill in preserving evidence integrity according to standard operating procedures or national standards.

Skill
470

Coordinate and provide expert technical support to enterprise-wide cyber defense technicians to resolve cyber defense incidents.

Task
716A

Monitor external data sources (e.g., cyber defense vendor sites, Computer Emergency Response Teams, Security Focus) to maintain currency of cyber defense threat condition and determine which security issues may have an impact on the enterprise.

Task
741A

Coordinate incident response functions.

Task
745

Perform cyber defense trend analysis and reporting.

Task
755

Perform initial, forensically sound collection of images and inspect to discern possible mitigation/remediation on enterprise systems.

Task
823

Receive and analyze network alerts from various sources within the enterprise and determine possible causes of such alerts.

Task
882

Write and publish cyber defense techniques, guidance, and reports on incident findings to appropriate constituencies.

Task
893

Skill in securing network communications.

Skill
895

Skill in recognizing and categorizing types of vulnerabilities and associated attacks.

Skill
896

Skill in protecting a network against malware.

Skill
897

Skill in performing damage assessments.

Skill
923A

Skill in using security event correlation tools.

Skill
984

Knowledge of cyber defense policies, procedures, and regulations.

Knowledge
991

Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).

Knowledge
1029A

Knowledge of malware analysis concepts and methodologies.

Knowledge
1030

Collect intrusion artifacts (e.g., source code, malware, trojans) and use discovered data to enable mitigation of potential cyber defense incidents within the enterprise.

Task
1033

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge
1069

Knowledge of general attack stages (e.g., foot printing and scanning, enumeration, gaining access, escalation or privileges, maintaining access, network exploitation, covering tracks).

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
3431

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

Knowledge
5670

Write and publish after action reviews.

Task
6210

Knowledge of cloud service models and possible limitations for an incident response.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
29

Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.

Knowledge
49

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge
87

Knowledge of network traffic analysis methods.

Knowledge
93

Knowledge of packet-level analysis.

Knowledge
478

Correlate incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation.

Task
738

Perform analysis of log files from a variety of sources (e.g., individual host logs, network traffic logs, firewall logs, and intrusion detection system [IDS] logs) to identify possible threats to network security.

Task
743

Perform cyber defense incident triage, to include determining scope, urgency, and potential impact; identifying the specific vulnerability; and making recommendations that enable expeditious remediation.

Task
762

Perform real-time cyber defense incident handling (e.g., forensic collections, intrusion correlation and tracking, threat analysis, and direct system remediation) tasks to support deployable Incident Response Teams (IRTs).

Task
861

Track and document cyber defense incidents from initial detection through final resolution.

Task
961

Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness).

Task
992C

Knowledge of threat environments (e.g., first generation threat actors, threat activities).

Knowledge
1031

Serve as technical expert and liaison to law enforcement personnel and explain incident details as required.

Task
1141A

Knowledge of an organization’s information classification program and procedures for information compromise.

Knowledge
2179

Coordinate with intelligence analysts to correlate threat assessment data.

Task
3362A

Knowledge of key factors of the operational environment and related threats and vulnerabilities.

Knowledge
3561

Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

Knowledge
6210

Knowledge of cloud service models and possible limitations for an incident response.

Knowledge
Cyber Defense Infrastructure Support Specialist Work Role ID: 521 (NIST: PR-INF-001) Workforce Element: Cybersecurity

Tests, implements, deploys, maintains, and administers the infrastructure hardware and software.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
49

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge
59A

Knowledge of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) tools and applications.

Knowledge
61

Knowledge of incident response and handling methodologies.

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
87A

Knowledge of network traffic analysis (tools, methodologies, processes).

Knowledge
92B

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol (TCP), Internet Protocol (IP), Open System Interconnection Model (OSI)).

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
148

Knowledge of Virtual Private Network (VPN) security.

Knowledge
150

Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.

Knowledge
643A

Identify potential conflicts with implementation of any cyber defense tools(e.g., tool and signature testing and optimization).

Task
960

Assist in identifying, prioritizing, and coordinating the protection of critical cyber defense infrastructure and key resources.

Task
984

Knowledge of cyber defense policies, procedures, and regulations.

Knowledge
1012A

Knowledge of test procedures, principles, and methodologies (e.g., Capabilities and Maturity Model Integration (CMMI)).

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2772

Build, install, configure, and test dedicated cyber defense hardware.

Task
5090

Assist in assessing the impact of implementing and sustaining a dedicated cyber defense infrastructure.

Task
6700

Skill in troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution.

Skill
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
29

Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.

Knowledge
93

Knowledge of packet-level analysis.

Knowledge
157

Skill in applying host/network access controls (e.g., access control list).

Skill
227

Skill in tuning sensors.

Skill
229

Skill in using incident handling methodologies.

Skill
237

Skill in using Virtual Private Network (VPN) devices and encryption.

Skill
393B

Coordinate with system administrators to create cyber defense tools, test bed(s), and test and evaluate applications, hardware infrastructure, rules/signatures, access controls, and configurations of platforms managed by service provider(s).

Task
471

Coordinate with Cyber Defense Analysts to manage and administer the updating of rules and signatures (e.g., intrusion detection/protection systems, anti-virus, and content blacklists) for specialized cyber defense applications.

Task
481A

Create, edit, and manage network access control lists on specialized cyber defense systems (e.g., firewalls and intrusion prevention systems).

Task
654B

Implement risk assessment and authorization requirements per the Risk Management Framework (RMF) process for dedicated cyber defense systems within the enterprise, and document and maintain records for them.

Task
769

Perform system administration on specialized cyber defense applications and systems (e.g., anti-virus, audit and remediation) or Virtual Private Network (VPN) devices, to include installation, configuration, maintenance, backup and restoration.

Task
893

Skill in securing network communications.

Skill
896

Skill in protecting a network against malware.

Skill
900

Knowledge of web filtering technologies.

Knowledge
1074A

Knowledge of transmission records (e.g., Bluetooth, Radio Frequency Identification (RFID), Infrared Networking (IR), Wireless Fidelity (Wi-Fi). paging, cellular, satellite dishes, Voice over Internet Protocol (VoIP)), and jamming techniques that enable transmission of undesirable information, or prevent installed systems from operating correctly.

Knowledge
1125

Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration.

Knowledge
3143

Knowledge of basic system, network, and OS hardening techniques.

Knowledge
6210

Knowledge of cloud service models and possible limitations for an incident response.

Knowledge
6670

Skill in system, network, and OS hardening techniques.

Skill
6918

Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.

Ability
6919

Ability to determine the best cloud deployment model for the appropriate operating environment.

Ability
6942

Skill in designing or implementing cloud computing deployment models.

Skill
6945

Skill in migrating workloads to, from, and among the different cloud computing service models.

Skill
Information Systems Security Developer Work Role ID: 631 (NIST: SP-SYS-001) Workforce Element: Cybersecurity

Designs, develops, tests, and evaluates information system security throughout the systems development lifecycle.

Core KSATs

KSAT ID Description KSAT
8A

Knowledge of access authentication methods.

Knowledge
21

Knowledge of computer algorithms.

Knowledge
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
25

Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).

Knowledge
27A

Knowledge of cryptology.

Knowledge
34

Knowledge of database systems.

Knowledge
38

Knowledge of organization’s enterprise information security architecture system.

Knowledge
43A

Knowledge of embedded systems.

Knowledge
46

Knowledge of fault tolerance.

Knowledge
51

Knowledge of how system components are installed, integrated, and optimized.

Knowledge
52

Knowledge of human-computer interaction principles.

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
64

Knowledge of information security systems engineering principles.

Knowledge
70

Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).

Knowledge
72

Knowledge of local area and wide area networking principles and concepts including bandwidth management.

Knowledge
79

Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
82A

Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs.

Knowledge
90

Knowledge of operating systems.

Knowledge
92

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).

Knowledge
94

Knowledge of parallel and distributed computing concepts.

Knowledge
98

Knowledge of policy-based and risk adaptive access controls.

Knowledge
101

Knowledge of process engineering concepts.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
109

Knowledge of secure configuration management techniques.

Knowledge
110A

Knowledge of security management.

Knowledge
118

Knowledge of software development models (e.g., Waterfall Model, Spiral Model).

Knowledge
119

Knowledge of software engineering.

Knowledge
121

Knowledge of structured analysis principles and methods.

Knowledge
124

Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.

Knowledge
126

Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design.

Knowledge
129

Knowledge of system life cycle management principles, including software security and usability.

Knowledge
130

Knowledge of systems testing and evaluation methods.

Knowledge
144

Knowledge of the systems engineering process.

Knowledge
177

Skill in designing countermeasures to identified security risks.

Skill
179

Skill in designing security controls based on cybersecurity principles and tenets.

Skill
197

Skill in discerning the protection needs (i.e., security controls) of information systems and networks.

Skill
199

Skill in evaluating the adequacy of security designs.

Skill
416

Analyze design constraints, analyze trade-offs and detailed system and security design, and consider lifecycle support.

Task
419

Apply security policies to applications that interface with one another, such as Business-to-Business (B2B) applications.

Task
425

Assess the effectiveness of cybersecurity measures utilized by system(s).

Task
426

Assess threats to and vulnerabilities of computer system(s) to develop a security risk profile.

Task
431

Build, test, and modify product prototypes using working models or theoretical models.

Task
457

Conduct Privacy Impact Assessments (PIA) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII).

Task
494

Design and develop cybersecurity or cybersecurity-enabled products.

Task
496A

Design, develop, integrate, and update system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation.

Task
501

Design or integrate appropriate data backup capabilities into overall system designs, and ensure appropriate technical and procedural processes exist for secure system backups and protected storage of backup data.

Task
503A

Design to security requirements to ensure requirements are met for all systems and/or applications.

Task
516

Develop and direct system testing and validation procedures and documentation.

Task
530

Develop detailed security design documentation for component and interface specifications to support system design and development.

Task
531

Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment.

Task
630

Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable).

Task
659

Implement security designs for new or existing system(s).

Task
662

Incorporate cybersecurity vulnerability solutions into system designs (e.g., Cybersecurity Vulnerability Alerts).

Task
737B

Perform an information security risk assessment.

Task
766A

Perform security reviews and identify security gaps in architecture.

Task
770

Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.

Task
809

Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).

Task
850

Store, retrieve, and manipulate data for analysis of system capabilities and requirements.

Task
856

Provide support to security/certification test and evaluation activities.

Task
997

Design and develop key management functions (as related to cybersecurity).

Task
998

Analyze user needs and requirements to plan and conduct system security development.

Task
1000

Ensure security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.

Task
1002

Skill in conducting audits or reviews of technical systems.

Skill
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1073

Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.

Knowledge
1133

Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).

Knowledge
1142

Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).

Knowledge
1152

Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment.

Task
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2354

Employ configuration management processes.

Task
5200

Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies.

Task
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
3B

Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.

Skill
40

Knowledge of organization’s evaluation and validation requirements.

Knowledge
42

Knowledge of electrical engineering as applied to computer architecture, including circuit boards, processors, chips, and associated computer hardware.

Knowledge
65A

Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).

Knowledge
75

Knowledge of mathematics, including logarithms, trigonometry, linear algebra, calculus, and statistics.

Knowledge
78

Knowledge of microprocessors.

Knowledge
100

Knowledge of Privacy Impact Assessments.

Knowledge
133

Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).

Knowledge
173A

Skill in integrating and applying policies that meet system security objectives.

Skill
177A

Knowledge of countermeasure design for identified security risks.

Knowledge
180

Skill in designing the integration of hardware and software solutions.

Skill
191

Skill in developing and applying security system access controls.

Skill
224A

Skill in the use of design modeling (e.g., unified modeling language).

Skill
542A

Develop risk mitigation strategies and cybersecurity countermeasures to address cost, performance, and security risks and to resolve vulnerabilities and recommend security changes to system or system components as needed.

Task
542A

Develop mitigation strategies to address cost, schedule, performance, and security risks.

Task
626

Identify components or elements, allocate security functions to those elements, and describe the relationships between the elements.

Task
632

Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability.

Task
648

Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure recommended products are in compliance with organization’s evaluation and validation requirements.

Task
710

Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements.

Task
803

Provide guidelines for implementing developed systems to customers or installation teams.

Task
808A

Provide input to implementation plans and standard operating procedures as they relate to information systems security.

Task
860A

Trace system requirements to design components and perform gap analysis.

Task
874

Utilize models and simulations to analyze or predict system performance under different operating conditions.

Task
877A

Verify stability, interoperability, portability, and/or scalability of system architecture.

Task
904

Knowledge of interpreted and compiled computer languages.

Knowledge
936

Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).

Task
999

Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information).

Task
1034A

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge
1034B

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge
1034C

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge
1037

Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.

Knowledge
1038B

Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).

Knowledge
1125

Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration.

Knowledge
1135

Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).

Knowledge
1140A

Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).

Skill
1141A

Knowledge of an organization’s information classification program and procedures for information compromise.

Knowledge
6918

Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.

Ability
6919

Ability to determine the best cloud deployment model for the appropriate operating environment.

Ability
Information Systems Security Manager Work Role ID: 722 (NIST: OV-MG-001) Workforce Element: Cybersecurity

Responsible for the cybersecurity of a program, organization, system, or enclave.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
29

Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.

Knowledge
37

Knowledge of disaster recovery continuity of operations plans.

Knowledge
49

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge
55

Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data.

Knowledge
58

Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.

Knowledge
61

Knowledge of incident response and handling methodologies.

Knowledge
66

Knowledge of intrusion detection methodologies and techniques for detecting host and network-based intrusions via intrusion detection technologies.

Knowledge
77

Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
112

Knowledge of server administration and systems engineering theories, concepts, and methods.

Knowledge
126

Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design.

Knowledge
129

Knowledge of system life cycle management principles, including software security and usability.

Knowledge
143

Knowledge of the organization’s enterprise information technology (IT) goals and objectives.

Knowledge
150

Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.

Knowledge
173

Skill in creating policies that reflect system security objectives.

Skill
183

Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.

Skill
299

Knowledge of information security program management and project management principles and techniques.

Knowledge
391

Acquire and manage the necessary resources, including leadership support, financial resources, and key security personnel, to support information technology (IT) security goals and objectives and reduce overall organizational risk.

Task
395

Advise senior management (e.g., CIO) on risk levels and security posture.

Task
397

Advise appropriate senior leadership or Authorizing Official of changes affecting the organization’s cybersecurity posture.

Task
440

Collect and maintain data needed to meet system cybersecurity reporting.

Task
445

Communicate the value of information technology (IT) security throughout all levels of the organization stakeholders.

Task
578

Ensure security improvement actions are evaluated, validated, and implemented as required.

Task
584

Ensure that cybersecurity inspections, tests, and reviews are coordinated for the network environment.

Task
585

Ensure that cybersecurity requirements are integrated into the continuity planning for that system and/or organization(s).

Task
628

Identify alternative information security strategies to address organizational security objective.

Task
640

Identify information technology (IT) security program implications of new technologies or technology upgrades.

Task
677

Interpret patterns of non compliance to determine their impact on levels of risk and/or overall effectiveness of the enterprise’s cybersecurity program.

Task
705

Manage the monitoring of information security data sources to maintain organizational situational awareness.

Task
730

Oversee the information security training and awareness program.

Task
733

Participate in the development or modification of the computer environment cybersecurity program plans and requirements.

Task
790

Prepare, distribute, and maintain plans, instructions, guidance, and standard operating procedures concerning the security of network system(s) operations.

Task
816

Provide system related input on cybersecurity requirements to be included in statements of work and other appropriate procurement documents.

Task
824

Recognize a possible security violation and take appropriate action to report the incident, as required.

Task
828

Recommend resource allocations required to securely operate and maintain an organization’s cybersecurity requirements.

Task
852

Supervise or manage protective or corrective measures when an cybersecurity incident or vulnerability is discovered.

Task
862

Track audit findings and recommendations to ensure appropriate mitigation actions are taken.

Task
919

Promote awareness of security issues among management and ensure sound security principles are reflected in the organization’s vision and goals.

Task
947

Oversee policy standards and implementation strategies to ensure procedures and guidelines comply with cybersecurity policies.

Task
962

Identify security requirements specific to an information technology (IT) system in all phases of the System Life Cycle.

Task
963

Ensure plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.

Task
964

Assure successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization’s mission and goals.

Task
965

Knowledge of organization’s risk tolerance and/or risk management approach.

Knowledge
966

Knowledge of enterprise incident response program, roles, and responsibilities.

Knowledge
967

Knowledge of current and emerging threats/threat vectors.

Knowledge
1016

Support necessary compliance activities (e.g., ensure system security configuration guidelines are followed, compliance monitoring occurs).

Task
1032

Continuously validate the organization against policies/guidelines/procedures/regulations/laws to ensure compliance.

Task
1034A

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge
1036

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge
1037

Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1141A

Knowledge of an organization’s information classification program and procedures for information compromise.

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
9

Knowledge of applicable business processes and operations of customer organizations.

Knowledge
25

Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).

Knowledge
62

Knowledge of industry-standard and organizationally accepted analysis principles and methods.

Knowledge
69A

Knowledge of risk management processes and requirements per the Risk Management Framework (RMF).

Knowledge
76

Knowledge of measures or indicators of system performance and availability.

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
87

Knowledge of network traffic analysis methods.

Knowledge
88A

Knowledge of current and emerging cyber technologies.

Knowledge
92

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).

Knowledge
95A

Knowledge of penetration testing principles, tools, and techniques.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
107

Knowledge of resource management principles and techniques.

Knowledge
113

Knowledge of server and client operating systems.

Knowledge
132

Knowledge of technology integration processes.

Knowledge
325

Knowledge of secure acquisitions (e.g., relevant Contracting Officer’s Technical Representative [COTR] duties, secure procurement, supply chain risk management).

Knowledge
392

Acquire necessary resources, including financial resources, to conduct an effective enterprise continuity of operations program.

Task
396

Advise senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, and systems, and elements.

Task
475

Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance.

Task
572

Ensure application of security patches for commercial products integrated into system design meet the timelines dictated by the management authority for the intended operational environment.

Task
590

Ensure that protection and detection capabilities are acquired or developed using the IS security engineering approach and are consistent with organization-level cybersecurity architecture.

Task
596

Establish overall enterprise information security architecture (EISA) with the organization’s overall security strategy.

Task
598A

Evaluate and approve development efforts to ensure that baseline security safeguards controls/measures are appropriately installed.​

Task
600

Evaluate cost benefit, economic, and risk analysis in decision making process.

Task
674

Interface with external organizations (e.g., public affairs, law enforcement, Command or Component Inspector General) to ensure appropriate and accurate dissemination of incident and other Computer Network Defense information.

Task
676

Interpret and/or approve security requirements relative to the capabilities of new information technologies.

Task
679

Lead and align information technology (IT) security priorities with the security strategy.

Task
680

Lead and oversee information security budget, staffing, and contracting.

Task
706

Manage the publishing of Computer Network Defense guidance (e.g., TCNOs, Concept of Operations, Net Analyst Reports, NTSM, MTOs) for the enterprise constituency.

Task
707

Manage threat or target analysis of cyber defense information and production of threat information within the enterprise.

Task
711

Monitor and evaluate the effectiveness of the enterprise’s cybersecurity safeguards to ensure they provide the intended level of protection.

Task
731A

Participate in risk assessment and authorization per Risk Management Framework processes.

Task
801

Provide enterprise cybersecurity and supply chain risk management guidance for development of the Continuity of Operations Plans.

Task
810

Provide leadership and direction to information technology (IT) personnel by ensuring that cybersecurity awareness, basics, literacy, and training are provided to operations personnel commensurate with their responsibilities.

Task
818

Provide technical documents, incident reports, findings from computer examinations, summaries, and other situational awareness information to higher headquarters.

Task
848

Recommend policy and coordinate review and approval.

Task
869

Use federal and organization-specific published documents to manage operations of their computing environment system(s).

Task
948

Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk.

Task
949

Evaluate the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements.

Task
1004

Knowledge of critical information technology (IT) procurement requirements.

Knowledge
1017

Participate in the acquisition process as necessary, following appropriate supply chain risk management practices.

Task
1018

Ensure all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.

Task
1033

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge
1034C

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge
1034B

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge
1035

Forecast ongoing service demands and ensure security assumptions are reviewed as necessary.

Task
1038B

Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).

Knowledge
1039

Skill in evaluating the trustworthiness of the supplier and/or product.

Skill
1040A

Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure.

Knowledge
1041

Define and/or implement policies and procedures to ensure protection of critical infrastructure as appropriate.

Task
1073

Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.

Knowledge
1131

Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).

Knowledge
6918

Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.

Ability
Secure Software Assessor Work Role ID: 622 (NIST: SP-DEV-002) Workforce Element: Cybersecurity

Analyzes the security of new or existing computer applications, software, or specialized utility programs and provides actionable results.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
40

Knowledge of organization’s evaluation and validation requirements.

Knowledge
56

Knowledge of cybersecurity principles and methods that apply to software development.

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
90

Knowledge of operating systems.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
109

Knowledge of secure configuration management techniques.

Knowledge
177

Skill in designing countermeasures to identified security risks.

Skill
197

Skill in discerning the protection needs (i.e., security controls) of information systems and networks.

Skill
417

Apply coding and testing standards, apply security testing tools including “‘fuzzing” static-analysis code scanning tools, and conduct code reviews.

Task
432

Capture security controls used during the requirements phase to integrate security within the process, to identify key security objectives, and to maximize software security while minimizing disruption to plans and schedules.

Task
467

Consult with engineering staff to evaluate interface between hardware and software.

Task
515B

Develop secure software testing and validation procedures.

Task
634

Identify basic common coding flaws at a high level.

Task
645

Identify security issues around steady state operation and management of software and incorporate security measures that must be taken when a product reaches its end of life.

Task
764A

Perform secure program testing, review, and/or assessment to identify potential flaws in codes and mitigate vulnerabilities.

Task
770

Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.

Task
826

Address security implications in the software acceptance phase including completion criteria, risk acceptance and documentation, common criteria, and methods of independent testing.

Task
865

Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.

Task
972A

Determine and document software patches or the extent of releases that would leave software vulnerable.

Task
973A

Skill in using code analysis tools.

Skill
976

Knowledge of software quality assurance process.

Knowledge
1020A

Skill in secure test plan design (e. g. unit, integration, system, acceptance).

Skill
1034A

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge
1037A

Knowledge of information technology (IT) risk management policies, requirements, and procedures.

Knowledge
1071

Knowledge of secure software deployment methodologies, tools, and practices.

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
3B

Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.

Skill
20

Knowledge of complex data structures.

Knowledge
23

Knowledge of computer programming principles such as object-oriented design.

Knowledge
38

Knowledge of organization’s enterprise information security architecture system.

Knowledge
43A

Knowledge of embedded systems.

Knowledge
72

Knowledge of local area and wide area networking principles and concepts including bandwidth management.

Knowledge
74

Knowledge of low-level computer languages (e.g., assembly languages).

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
95A

Knowledge of penetration testing principles, tools, and techniques.

Knowledge
100

Knowledge of Privacy Impact Assessments.

Knowledge
102

Knowledge of programming language structures and logic.

Knowledge
116

Knowledge of software debugging principles.

Knowledge
117

Knowledge of software design tools, methods, and techniques.

Knowledge
118

Knowledge of software development models (e.g., Waterfall Model, Spiral Model).

Knowledge
119

Knowledge of software engineering.

Knowledge
121

Knowledge of structured analysis principles and methods.

Knowledge
124

Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.

Knowledge
149

Knowledge of web services, including service-oriented architecture, Simple Object Access Protocol, and web service description language.

Knowledge
168

Skill in conducting software debugging.

Skill
191

Skill in developing and applying security system access controls.

Skill
408A

Analyze and provide information to stakeholders that will support the development of security a application or modification of an existing security application.

Task
414A

Analyze security needs and software requirements to determine feasibility of design within time and cost constraints and security mandates.

Task
418

Apply secure code documentation.

Task
459A

Conduct trial runs of programs and software applications to ensure the desired information is produced and instructions and security levels are correct.

Task
465

Develop threat model based on customer interviews and requirements.

Task
515C

Develop system testing and validation procedures, programming, and documentation.

Task
602

Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration.

Task
644

Identify security implications and apply methodologies within centralized and decentralized environments across the enterprises computer systems in software development.

Task
710

Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements.

Task
756

Perform integrated quality assurance testing for security functionality and resiliency attack.

Task
850

Store, retrieve, and manipulate data for analysis of system capabilities and requirements.

Task
904

Knowledge of interpreted and compiled computer languages.

Knowledge
905

Knowledge of secure coding techniques.

Knowledge
936

Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).

Task
968

Knowledge of software related information technology (IT) security principles and methods (e.g., modularization, layering, abstraction, data hiding, simplicity/minimization).

Knowledge
969

Perform penetration testing as required for new or updated applications.

Task
975

Skill in integrating black box security testing tools into quality assurance process of software releases.

Skill
978A

Knowledge of root cause analysis techniques.

Knowledge
979

Knowledge of supply chain risk management standards, processes, and practices.

Knowledge
980A

Skill in performing root cause analysis.

Skill
1034B

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge
1034C

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge
1038B

Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1131

Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).

Knowledge
1135

Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).

Knowledge
1140A

Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).

Skill
2156

Consult with customers about software system design and maintenance.

Task
2335

Direct software programming and development of documentation.

Task
2839

Supervise and assign work to programmers, designers, technologists and technicians and other engineering and scientific personnel.

Task
3080

Ability to use and understand complex mathematical concepts (e.g., discrete math).

Ability
6932

Knowledge of mobile device (Android/iOS) development structures, principles, platforms, containers, languages, and the specific vulnerabilities associated with mobile device development.

Knowledge
6944

Skill in implementing defensive programming techniques.

Skill
Security Architect Work Role ID: 652 (NIST: SP-ARC-002) Workforce Element: Cybersecurity

Designs enterprise and systems security throughout the development lifecycle; translates technology and environmental conditions (e.g., law and regulation) into security designs and processes.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
38

Knowledge of organization’s enterprise information security architecture system.

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
68B

Ability to design architectures and frameworks.

Ability
70B

Skill in applying cybersecurity methods, such as firewalls, demilitarized zones, and encryption.

Skill
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
143A

Knowledge of integrating the organization’s goals and objectives into the architecture.

Knowledge
183

Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.

Skill
197A

Skill in translating operational requirements into protection needs (i.e., security controls).

Skill
534

Develop/integrate cybersecurity designs for systems and networks with multilevel security requirements or requirements for the processing of multiple classification levels of data primarily applicable to government organizations (e.g., UNCLASSIFIED, SECRET, and TOP SECRET).

Task
561

Document and address organization’s information security, cybersecurity architecture, and systems security engineering requirements throughout the acquisition lifecycle.

Task
568

Employ secure configuration management processes.

Task
579

Ensure acquired or developed system(s) and architecture(s) are consistent with organization’s cybersecurity architecture guidelines.

Task
631

Identify and prioritize critical business functions in collaboration with organizational stakeholders.

Task
646A

Document the protection needs (i.e., security controls) for the information system(s) and network(s) and document appropriately.

Task
765

Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.

Task
994

Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment.

Task
1072A

Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Ability
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2248

Develop a system security context, a preliminary system security CONOPS, and define baseline system security requirements in accordance with applicable cybersecurity requirements.

Task
2390

Evaluate security architectures and designs to determine the adequacy of security design and architecture proposed or provided in response to requirements contained in acquisition documents.

Task
3307

Knowledge of cybersecurity-enabled software products.

Knowledge
6030

Ability to apply an organization’s goals and objectives to develop and maintain architecture.

Ability
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
8

Knowledge of authentication, authorization, and access control methods.

Knowledge
21

Knowledge of computer algorithms.

Knowledge
25

Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).

Knowledge
27

Knowledge of cryptography and cryptographic key management concepts.

Knowledge
34

Knowledge of database systems.

Knowledge
40A

Knowledge of organization’s evaluation and validation criteria.

Knowledge
42

Knowledge of electrical engineering as applied to computer architecture, including circuit boards, processors, chips, and associated computer hardware.

Knowledge
43A

Knowledge of embedded systems.

Knowledge
46A

Knowledge of system fault tolerance methodologies.

Knowledge
51

Knowledge of how system components are installed, integrated, and optimized.

Knowledge
52

Knowledge of human-computer interaction principles.

Knowledge
53A

Knowledge of security risk assessments and authorization per Risk Management Framework processes.

Knowledge
53

Knowledge of the Security Assessment and Authorization process.

Knowledge
62

Knowledge of industry-standard and organizationally accepted analysis principles and methods.

Knowledge
65A

Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).

Knowledge
69A

Knowledge of risk management processes and requirements per the Risk Management Framework (RMF).

Knowledge
75

Knowledge of mathematics, including logarithms, trigonometry, linear algebra, calculus, and statistics.

Knowledge
78

Knowledge of microprocessors.

Knowledge
79

Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
82A

Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs.

Knowledge
90

Knowledge of operating systems.

Knowledge
92

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).

Knowledge
94

Knowledge of parallel and distributed computing concepts.

Knowledge
109A

Knowledge of configuration management techniques.

Knowledge
110

Knowledge of key concepts in security management (e.g., Release Management, Patch Management).

Knowledge
111A

Ability to apply secure system design tools, methods and techniques.

Ability
113A

Knowledge of N-tiered typologies including server and client operating systems.

Knowledge
119

Knowledge of software engineering.

Knowledge
124A

Ability to apply system design tools, methods, and techniques, including automated systems analysis and design tools.

Ability
130

Knowledge of systems testing and evaluation methods.

Knowledge
132

Knowledge of technology integration processes.

Knowledge
133

Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).

Knowledge
141A

Knowledge of the enterprise information technology (IT) architectural concepts and patterns to include baseline and target architectures.

Knowledge
144

Knowledge of the systems engineering process.

Knowledge
155

Skill in applying and incorporating information technologies into proposed solutions.

Skill
180

Skill in designing the integration of hardware and software solutions.

Skill
224

Skill in design modeling and building use cases (e.g., unified modeling language).

Skill
238A

Skill in writing code in a currently supported programming language (e.g., Java, C++).

Skill
413A

Analyze user needs and requirements to plan architecture.

Task
465

Develop threat model based on customer interviews and requirements.

Task
483

Define and prioritize essential system capabilities or business functions required for partial or full system restoration after a catastrophic failure event.

Task
484

Define appropriate levels of system availability based on critical system functions and ensure system requirements identify appropriate disaster recovery and continuity of operations requirements to include any appropriate fail-over/alternate site requirements, backup requirements, and material supportability requirements for system recover/restoration.

Task
502A

Develop enterprise architecture or system components required to meet user needs.

Task
525A

Develop procedures and test fail-over for system operations transfer to an alternate site based on system availability requirements.

Task
569A

Document and update as necessary all definition and architecture activities.

Task
602

Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration.

Task
669

Integrate and align information security and/or cybersecurity policies to ensure system analysis meets security requirements.

Task
797

Provide advice on project costs, design concepts, or design changes.

Task
807

Provide input on security requirements to be included in statements of work and other appropriate procurement documents.

Task
809

Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).

Task
864A

Translate proposed capabilities into technical requirements.

Task
865

Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.

Task
936

Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).

Task
993A

Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization’s enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]).

Ability
996A

Assess and design security management functions as related to cyberspace.

Task
1034C

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge
1034B

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge
1034A

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge
1037B

Knowledge of program protection planning to include information technology (IT) supply chain security/risk management policies, anti-tampering techniques, and requirements.

Knowledge
1038

Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability.

Knowledge
1038B

Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).

Knowledge
1073

Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.

Knowledge
1125

Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration.

Knowledge
1130

Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions).

Knowledge
1133

Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).

Knowledge
1135

Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).

Knowledge
1136A

Knowledge of use cases related to collaboration and content synchronization across platforms (e.g., Mobile, PC, Cloud).

Knowledge
1140A

Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).

Skill
1141A

Knowledge of an organization’s information classification program and procedures for information compromise.

Knowledge
1142B

Skill in applying security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).

Skill
1147A

Develop data management capabilities (e.g., cloud based, centralized cryptographic key management) to include support to the mobile workforce.

Task
2014

Analyze candidate architectures, allocate security services, and select security mechanisms.

Task
2887

Write detailed functional specifications that document the architecture development process.

Task
3153

Knowledge of circuit analysis.

Knowledge
3246

Knowledge of confidentiality, integrity, and availability requirements.

Knowledge
3642

Knowledge of various types of computer architectures.

Knowledge
6150

Ability to optimize systems to meet enterprise performance requirements.

Ability
6210

Knowledge of cloud service models and possible limitations for an incident response.

Knowledge
6330

Knowledge of multi-level/security cross domain solutions.

Knowledge
6640

Skill in designing multi-level security/cross domain solutions.

Skill
6680

Skill in the use of design methods.

Skill
6918

Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.

Ability
6919

Ability to determine the best cloud deployment model for the appropriate operating environment.

Ability
6942

Skill in designing or implementing cloud computing deployment models.

Skill
6945

Skill in migrating workloads to, from, and among the different cloud computing service models.

Skill
Security Control Assessor Work Role ID: 612 (NIST: SP-RM-002) Workforce Element: Cybersecurity

Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST 800-37).

Core KSATs

KSAT ID Description KSAT
19

Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.

Knowledge
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
40

Knowledge of organization’s evaluation and validation requirements.

Knowledge
55

Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data.

Knowledge
58

Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
70

Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).

Knowledge
77

Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
183

Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.

Skill
197

Skill in discerning the protection needs (i.e., security controls) of information systems and networks.

Skill
537

Develop methods to monitor and measure risk, compliance, and assurance efforts.

Task
548

Develop specifications to ensure risk, compliance, and assurance efforts conform with security, resilience, and dependability requirements at the software application, system, and network environment level.

Task
566

Draft statements of preliminary or residual security risks for system operation.

Task
691

Maintain information systems assurance and accreditation materials.

Task
710

Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements.

Task
1040A

Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure.

Knowledge
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
3B

Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.

Skill
27

Knowledge of cryptography and cryptographic key management concepts.

Knowledge
38

Knowledge of organization’s enterprise information security architecture system.

Knowledge
43A

Knowledge of embedded systems.

Knowledge
53A

Knowledge of security risk assessments and authorization per Risk Management Framework processes.

Knowledge
69A

Knowledge of risk management processes and requirements per the Risk Management Framework (RMF).

Knowledge
88

Knowledge of new and emerging information technology (IT) and cybersecurity technologies.

Knowledge
88A

Knowledge of current and emerging cyber technologies.

Knowledge
95B

Knowledge of penetration testing principles, tools, and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems).

Knowledge
121

Knowledge of structured analysis principles and methods.

Knowledge
128

Knowledge of systems diagnostic tools and fault identification techniques.

Knowledge
143

Knowledge of the organization’s enterprise information technology (IT) goals and objectives.

Knowledge
156

Skill in applying confidentiality, integrity, and availability principles.

Skill
203

Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.

Skill
417

Apply coding and testing standards, apply security testing tools including “‘fuzzing” static-analysis code scanning tools, and conduct code reviews.

Task
457

Conduct Privacy Impact Assessments (PIA) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII).

Task
772

Perform validation steps, comparing actual results with expected results and analyze the differences to identify impact and risks.

Task
775

Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.

Task
798

Provide an accurate technical evaluation of the software application, system, or network, documenting the security posture, capabilities, and vulnerabilities against relevant cybersecurity compliances.

Task
827

Recommend new or revised security, resilience, and dependability measures based on the results of reviews.

Task
836B

Review and approve security and privacy assessment plans.

Task
836

Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.

Task
878

Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.

Task
879

Verify that the software application/network/system accreditation and assurance documentation is current.

Task
936

Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).

Task
942

Knowledge of the organization’s core business/mission processes.

Knowledge
1034A

Knowledge of Personally Identifiable Information (PII) data security standards.

Knowledge
1034B

Knowledge of Payment Card Industry (PCI) data security standards.

Knowledge
1034C

Knowledge of Personal Health Information (PHI) data security standards.

Knowledge
1036

Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.

Knowledge
1037

Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.

Knowledge
1038B

Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).

Knowledge
1039

Skill in evaluating the trustworthiness of the supplier and/or product.

Skill
1131

Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).

Knowledge
1141A

Knowledge of an organization’s information classification program and procedures for information compromise.

Knowledge
1142

Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).

Knowledge
1146

Develop and Implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity requirements and accurately followed by Systems Administrators and other cybersecurity staff when performing their day-to-day activities.

Task
Vulnerability Assessment Analyst Work Role ID: 541 (NIST: PR-VA-001) Workforce Element: Cybersecurity

Performs assessments of systems and networks within the NE or enclave and identifies where those systems/networks deviate from acceptable configurations, enclave policy, or local policy. Measures effectiveness of defense-in-depth architecture against known vulnerabilities.

Core KSATs

KSAT ID Description KSAT
10

Knowledge of application vulnerabilities.

Knowledge
10A

Skill in conducting application vulnerability assessments.

Skill
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
92

Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).

Knowledge
105

Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
150

Knowledge of what constitutes a network attack and the relationship to both threats and vulnerabilities.

Knowledge
692

Maintain knowledge of applicable cyber defense policies, regulations, and compliance documents specifically related to cyber defense auditing.

Task
784

Prepare audit reports that identify technical and procedural findings, and provide recommended remediation strategies/solutions.

Task
1072

Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge
6935

* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).

Knowledge
6938

* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.

Knowledge

Additional KSATs

KSAT ID Description KSAT
3B

Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.

Skill
4

Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.

Ability
27

Knowledge of cryptography and cryptographic key management concepts.

Knowledge
27B

Skill in assessing the application of cryptographic standards.

Skill
29

Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools.

Knowledge
49

Knowledge of host/network access control mechanisms (e.g., access control list).

Knowledge
63

Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Knowledge
79

Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).

Knowledge
81A

Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.

Knowledge
95B

Knowledge of penetration testing principles, tools, and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems).

Knowledge
102A

Ability to apply programming language structures (e.g., source code review) and logic.

Ability
102

Knowledge of programming language structures and logic.

Knowledge
128

Knowledge of systems diagnostic tools and fault identification techniques.

Knowledge
160

Skill in assessing the robustness of security systems and designs.

Skill
181A

Skill in detecting host and network based intrusions via intrusion detection technologies.

Skill
210

Skill in mimicking threat behaviors.

Skill
214B

Knowledge of packet-level analysis using appropriate tools (e.g., Wireshark, tcpdump).

Knowledge
225A

Skill in the use of penetration testing tools and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems).

Skill
226

Skill in the use of social engineering techniques.

Skill
411A

Analyze organization’s cybersecurity policies and configurations and evaluate compliance with regulations and organizational directives.

Task
448

Conduct and/or support authorized penetration testing on enterprise network assets.

Task
685A

Maintain deployable cybersecurity audit toolkit (e.g., specialized cyber defense software and hardware) to support cybersecurity audit missions.

Task
801B

Knowledge of threat and risk assessment.

Knowledge
897A

Skill in performing impact/risk assessments.

Skill
904

Knowledge of interpreted and compiled computer languages.

Knowledge
922B

Skill in using network analysis tools, including specialized tools for non-traditional systems and networks (e.g., control systems), to identify vulnerabilities.​

Skill
939

Conduct required reviews as appropriate within environment (e.g., Technical Surveillance, Countermeasure Reviews [TSCM], TEMPEST countermeasure reviews).

Task
940B

Perform technical (evaluation of technology) and non-technical (evaluation of people and operations) risk and vulnerability assessments of relevant technology focus areas (e.g., local computing environment, network and infrastructure, control system and operational environments, enclave boundary, supporting infrastructure, and applications).

Task
941A

Make recommendations regarding the selection of cost-effective security controls to mitigate risk (e.g., protection of information, systems and processes).

Task
991

Knowledge of different classes of attacks (e.g., passive, active, insider, close-in, distribution).

Knowledge
992C

Knowledge of threat environments (e.g., first generation threat actors, threat activities).

Knowledge
992B

Knowledge of cyber attackers (e.g., script kiddies, insider threat, non-nation state sponsored, and nation sponsored).

Knowledge
1033

Knowledge of basic system administration, network, and operating system hardening techniques.

Knowledge
1038A

Knowledge of infrastructure supporting information technology (IT) for safety, performance, and reliability.

Knowledge
1069

Knowledge of general attack stages (e.g., foot printing and scanning, enumeration, gaining access, escalation or privileges, maintaining access, network exploitation, covering tracks).

Knowledge
1141A

Knowledge of an organization’s information classification program and procedures for information compromise.

Knowledge
1142

Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).

Knowledge
3150

Knowledge of ethical hacking principles and techniques.

Knowledge
3222

Knowledge of data backup and restoration concepts.

Knowledge
3513

Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems.

Knowledge
6210

Knowledge of cloud service models and possible limitations for an incident response.

Knowledge
6660

Skill in reviewing logs to identify evidence of past intrusions.

Skill
6918

Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.

Ability