Intelligence (Cyberspace)

Intelligence (Cyberspace)

Personnel who collect, process, analyze, and disseminate information from all sources of intelligence on foreign actors’ cyberspace programs, intentions, capabilities, research and development, and operational activities.



Below are the associated Work Roles. Click the arrow to expand/collapse the Work Role information and view the associated Core and Additional KSATs (Knowledge, Skills, Abilties, and Tasks). Items denoted by a * are CORE KSATs for every Work Role, while other CORE KSATs vary by Work Role. Click on the other blue links to further explore the information.
All-Source Analyst Work Role ID: 111 (NIST: AN-ASA-001) Workforce Element: Intelligence (Cyberspace)

Analyzes data/information from one or multiple sources to conduct preparation of the environment, respond to requests for information, and submit intelligence collection and production requirements in support of planning and operations.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
87

Knowledge of network traffic analysis methods.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
264

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2028

Answer requests for information.

Task
2060A

Maintain a common intelligence picture.

Task
2075

Brief threat and/or target current situations.

Task
2115

Conduct in-depth research and analysis.

Task
2429

Generate requests for information.

Task
2434

Identify threat tactics, and methodologies.

Task
2603

Monitor operational environment and report on adversarial activities which fulfill leadership’s priority information requirements.

Task
2771

Provide timely notice of imminent or hostile intentions or activities which may impact organization objectives, resources, or capabilities.

Task
3001

Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.

Ability
3002

Ability to focus research efforts to meet the customer’s decision-making needs.

Ability
3019

Ability to clearly articulate intelligence requirements into well-formulated research questions and data tracking variables for inquiry tracking purposes.

Ability
3022

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Ability
3041

Ability to effectively collaborate via virtual teams.

Ability
3042

Ability to evaluate information for reliability, validity, and relevance.

Ability
3043

Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.

Ability
3047

Ability to function effectively in a dynamic, fast-paced environment.

Ability
3048

Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—in order to leverage analytical and technical expertise.

Ability
3052

Ability to identify intelligence gaps.

Ability
3073

Ability to recognize and mitigate cognitive biases which may affect analysis.

Ability
3077

Ability to think critically.

Ability
3081

Ability to utilize multiple intelligence sources across all intelligence disciplines.

Ability
3106

Knowledge of a wide range of basic communications media concepts and terminology (e.g., computer and telephone networks, satellite, cable, wireless).

Knowledge
3107

Knowledge of a wide range of concepts associated with websites (e.g., website types, administration, functions, software systems, etc.).

Knowledge
3129

Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).

Knowledge
3137

Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and enumeration).

Knowledge
3154

Knowledge of classification and control markings standards, policies and procedures.

Knowledge
3177

Knowledge of common computer/network infections (virus, Trojan, etc.) and methods of infection (ports, attachments, etc.).

Knowledge
3188

Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

Knowledge
3262

Knowledge of evolving/emerging communications technologies.

Knowledge
3274

Knowledge of fundamental cyber operations concepts, terminology/lexicon (i.e., environment preparation, cyber attack, cyber defense), principles, capabilities, limitations, and effects.

Knowledge
3292

Knowledge of how modern digital and telephony networks impact cyber operations.

Knowledge
3293

Knowledge of how modern wireless communications systems impact cyber operations.

Knowledge
3298

Knowledge of how to extract, analyze, and use metadata.

Knowledge
3335

Knowledge of intelligence disciplines.

Knowledge
3342

Knowledge of intelligence support to planning, execution, and assessment.

Knowledge
3374

Knowledge of malware.

Knowledge
3431

Knowledge of OSI model and underlying network protocols (e.g., TCP/IP).

Knowledge
3441

Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.

Knowledge
3539

Knowledge of telecommunications fundamentals.

Knowledge
3543

Knowledge of the basic structure, architecture, and design of modern communication networks.

Knowledge
3545

Knowledge of the basics of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

Knowledge
3561

Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

Knowledge
3582

Knowledge of the intelligence frameworks, processes, and related systems.

Knowledge
3584

Knowledge of intelligence preparation of the environment and similar processes.

Knowledge
3630

Knowledge of the ways in which targets or threats use the Internet.

Knowledge
3651

Knowledge of what constitutes a “threat” to a network.

Knowledge
3659

Knowledge of wireless technologies (e.g., cellular, satellite, GSM) to include the basic structure, architecture, and design of modern wireless communications systems.

Knowledge
3772

Skill in evaluating information for reliability, validity, and relevance.

Skill
3794

Skill in identifying cyber threats which may jeopardize organization and/or partner interests.

Skill
3844

Skill in preparing and presenting briefings.

Skill
3851

Skill in providing understanding of target or threat systems through the identification and link analysis of physical, functional, or behavioral relationships.

Skill
3876

Skill in writing, reviewing and editing cyber-related Intelligence/assessment products from multiple sources.

Skill
3910

Skill in using Boolean operators to construct simple and complex queries.

Skill
3920

Skill in using multiple analytic tools, databases, and techniques (e.g., Analyst’s Notebook, A-Space, Anchory, M3, divergent/convergent thinking, link charts, matrices, etc.).

Skill
3921

Skill in using multiple search engines (e.g., Google, Yahoo, LexisNexis, DataStar) and tools in conducting open-source searches.

Skill
3938

Skill in utilizing feedback in order to improve processes, products, and services.

Skill
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
52

Knowledge of human-computer interaction principles.

Knowledge
2059

Provide expertise to course of action development.

Task
2060

Provide subject matter expertise to the development of a common operational picture.

Task
2061

Provide subject matter expertise to the development of cyber operations specific indicators.

Task
2063

Assist in the coordination, validation, and management of all-source collection requirements, plans, and/or activities.

Task
2068

Assist in the identification of intelligence collection shortfalls.

Task
2087

Collaborate with intelligence analysts/targeting organizations involved in related areas.

Task
2121

Conduct nodal analysis.

Task
2195

Maintain awareness of internal and external cyber organization structures, strengths, and employments of staffing and technology.

Task
2288

Develop information requirements necessary for answering priority information requests.

Task
2356

Engage customers to understand customers’ intelligence needs and wants.

Task
2379

Evaluate threat decision-making processes.

Task
2379A

Identify threat vulnerabilities.

Task
2379B

Identify threats to Blue Force vulnerabilities.

Task
2441

Identify and evaluate threat critical capabilities, requirements, and vulnerabilities.

Task
2446

Identify and submit intelligence requirements for the purposes of designating priority information requirements.

Task
2459

Identify intelligence gaps and shortfalls.

Task
2593

Monitor and report changes in threat dispositions, activities, tactics, capabilities, objectives, etc. as related to designated cyber operations warning problem sets.

Task
2594

Monitor and report on validated threat activities.

Task
2602

Monitor open source websites for hostile content directed towards organizational or partner interests.

Task
2617

Produce timely, fused, all-source cyber operations intelligence and/or indications and warnings intelligence products (e.g., threat assessments, briefings, intelligence studies, country studies).

Task
2621

Provide SME and support to planning/developmental forums and working groups as appropriate.

Task
2685A

Provide subject matter expertise to website characterizations.

Task
2730

Provide analyses and support for effectiveness assessment.

Task
2735

Provide current intelligence support to critical internal/external stakeholders as appropriate.

Task
2738

Provide evaluation and feedback necessary for improving intelligence production, intelligence reporting, collection requirements, and operations.

Task
2745

Provide information and assessments for the purposes of informing leadership and customers; developing and refining objectives; supporting operation planning and execution; and assessing the effects of operations.

Task
2747

Provide input and assist in post-action effectiveness assessments.

Task
2748

Provide input and assist in the development of plans and guidance.

Task
2754

Provide intelligence analysis and support to designated exercises, planning activities, and time sensitive operations.

Task
2767

Provide target recommendations which meet leadership objectives.

Task
2789

Report intelligence-derived significant network events and intrusions.

Task
2881

Work closely with planners, intelligence analysts, and collection managers to ensure intelligence requirements and collection plans are accurate and up-to-date.

Task
3039

Ability to develop or recommend analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists.

Ability
3044

Ability to exercise judgment when policies are not well-defined.

Ability
3074

Ability to recognize and mitigate deception in reporting and analysis.

Ability
3078A

Ability to think like threat actors.

Ability
3079

Ability to understand objectives and effects.

Ability
3095

Knowledge of internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).

Knowledge
3098

Knowledge of virtualization products (Vmware, Virtual PC).

Knowledge
3205

Knowledge of current computer-based intrusion sets.

Knowledge
3210

Knowledge of cyber laws and their effect on Cyber planning.

Knowledge
3253

Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).

Knowledge
3271

Knowledge of internal and external partner cyber operations capabilities and tools.

Knowledge
3277

Knowledge of general SCADA system components.

Knowledge
3286

Knowledge of host-based security products and how they affect exploitation and vulnerability.

Knowledge
3291

Knowledge of how internet applications work (SMTP email, web-based email, chat clients, VOIP).

Knowledge
3334

Knowledge of intelligence confidence levels.

Knowledge
3343

Knowledge of cyber intelligence/information collection capabilities and repositories.

Knowledge
3358

Knowledge of organizational hierarchy and cyber decision making processes.

Knowledge
3419

Knowledge of organization or partner exploitation of digital networks.

Knowledge
3446

Knowledge of analytical constructs and their use in assessing the operational environment.

Knowledge
3460

Knowledge of internal tactics to anticipate and/or emulate threat capabilities and actions.

Knowledge
3504

Knowledge of threat and/or target systems.

Knowledge
3527

Knowledge of target development (i.e., concepts, roles, responsibilities, products, etc.).

Knowledge
3528

Knowledge of specific target identifiers, and their usage.

Knowledge
3533

Knowledge of target vetting and validation procedures.

Knowledge
3587

Knowledge of targeting cycles.

Knowledge
3615

Knowledge of the structure and intent of organization specific plans, guidance and authorizations.

Knowledge
3691

Skill in assessing and/or estimating effects generated during and after cyber operations.

Skill
3704

Skill in conducting non-attributable research.

Skill
3724

Skill in defining and characterizing all pertinent aspects of the operational environment.

Skill
3756

Skill in developing or recommending analytic approaches or solutions to problems and situations for which information is incomplete or for which no precedent exists.

Skill
3788

Skill in identifying alternative analytical interpretations in order to minimize unanticipated outcomes.

Skill
3893

Skill in tailoring analysis to the necessary levels (e.g., classification and organizational).

Skill
3946

Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat rooms, SharePoint).

Skill
3953A

Skill in providing analysis to aid writing phased after action reports.

Skill
All-Source Collection Manager Work Role ID: 311 (NIST: CO-CL-001) Workforce Element: Intelligence (Cyberspace)

Identifies collection authorities and environment; incorporates priority information requirements into collection management; develops concepts to meet leadership’s intent. Determines capabilities of available collection assets, identifies new collection capabilities; and constructs and disseminates collection plans. Monitors execution of tasked collection to ensure effective execution of the collection plan.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2005

Adjust collection operations or collection plan to address identified issues/challenges and to synchronize collections with overall operational requirements.

Task
2015

Analyze feedback to determine extent to which collection products and services are meeting requirements.

Task
2021

Analyze plans, directives, guidance and policy for factors that would influence collection management’s operational structure and requirement s (e.g., duration, scope, communication requirements, interagency/international agreements).

Task
2035

Assess and apply operational environment factors and risks to collection management process.

Task
2096A

Compare allocated and available assets to collection demand as expressed through requirements.

Task
2165

Coordinate resource allocation of collection assets against prioritized collection requirements with collection discipline leads.

Task
2235

Determine how identified factors affect the tasking, collection, processing, exploitation and dissemination architecture’s form and function.

Task
2245

Develop a method for comparing collection reports to outstanding requirements to identify information gaps.

Task
2290

Allocate collection assets based on leadership’s guidance, priorities, and/or operational emphasis.

Task
2376

Establish processing, exploitation and dissemination management activity using approved guidance and/or procedures.

Task
2421

Formulate collection strategies based on knowledge of available intelligence discipline capabilities and gathering methods that align multi-discipline collection capabilities and accesses with targets and their observables.

Task
2451

Identify collaboration forums that can serve as mechanisms for coordinating processes, functions, and outputs with specified organizations and functional groups.

Task
2613

Optimize mix of collection assets and resources to increase effectiveness and efficiency against essential information associated with priority intelligence requirements.

Task
2705

Prioritize collection requirements for collection platforms based on platform capabilities.

Task
3010

Ability to apply collaborative skills and strategies.

Ability
3011

Ability to apply critical reading/thinking skills.

Ability
3102

Knowledge of operational planning processes.

Knowledge
3127

Knowledge of asset availability, capabilities and limitations.

Knowledge
3128

Knowledge of tasking mechanisms.

Knowledge
3148

Knowledge of collection capabilities and limitations.

Knowledge
3160

Knowledge of collaborative tools and environments.

Knowledge
3195

Knowledge of criteria for evaluating collection products.

Knowledge
3204

Knowledge of current collection requirements.

Knowledge
3297

Knowledge of how to establish priorities for resources.

Knowledge
3380

Knowledge of methods for ascertaining collection asset posture and availability.

Knowledge
3436

Knowledge of production exploitation and dissemination needs and architectures.

Knowledge
3464

Knowledge of research strategies and knowledge management.

Knowledge
3575

Knowledge of the factors of threat that could impact collection operations.

Knowledge
3619

Knowledge of the systems/architecture/communications used for coordination.

Knowledge
3663

Knowledge of tasking, collection, processing, exploitation and dissemination.

Knowledge
3974

Skill to apply the capabilities, limitations and tasking methodologies of available platforms, sensors, architectures and apparatus as they apply to organization objectives.

Skill
3991

Ability to coordinate and collaborate with analysts regarding surveillance requirements and essential information development.

Ability
3994

Ability to coordinate, collaborate and disseminate information to subordinate, lateral and higher-level organizations.

Ability
4002

Skill to determine feasibility of collection.

Skill
4004

Skill to develop a collection plan that clearly shows the discipline that can be used to collect the information needed.

Skill
4012

Skill to ensure that the collection strategy leverages all available resources.

Skill
4014

Skill to evaluate factors of the operational environment to objectives, and information requirements.

Skill
4019

Skill to extract information from available tools and applications associated with collection requirements and collection operations management.

Skill
4024

Skill to identify and apply tasking, collection, processing, exploitation and dissemination to associated collection disciplines.

Skill
4026

Skill in information prioritization as it relates to operations.

Skill
4033

Skill to interpret readiness reporting, its operational relevance and intelligence collection impact.

Skill
4049

Skill to prepare and deliver reports, presentations and briefings, to include using visual aids or presentation technology.

Skill
4056

Skill to review performance specifications and historical information about collection assets.

Skill
4066

Skill to use collaborative tools and environments.

Skill
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
52

Knowledge of human-computer interaction principles.

Knowledge
87

Knowledge of network traffic analysis methods.

Knowledge
2051

Assess performance of collection assets against prescribed specifications.

Task
2098

Compile lessons learned from collection management activity’s execution of organization collection objectives.

Task
2147

Consider efficiency and effectiveness of collection assets and resources if/when applied against priority information requirements.

Task
2153

Construct collection plans and matrixes using established guidance and procedures.

Task
2167

Coordinate inclusion of collection plan in appropriate documentation.

Task
2172

Re-task or re-direct collection assets and resources.

Task
2232

Determine course of action for addressing changes to objectives, guidance, and operational environment.

Task
2233

Determine existing collection management webpage databases, libraries and storehouses.

Task
2239

Determine organizations and/or echelons with collection authority over all accessible collection assets.

Task
2271

Develop coordinating instructions by collection discipline for each phase of an operation.

Task
2342

Disseminate tasking messages and collection plans.

Task
2373

Establish alternative processing, exploitation and dissemination pathways to address identified issues or problems.

Task
2414

Facilitate continuously updated intelligence, surveillance, and visualization input to common operational picture managers.

Task
2456

Identify coordination requirements and procedures with designated collection authorities.

Task
2464

Identify issues or problems that can disrupt and/or degrade processing, exploitation and dissemination architecture effectiveness.

Task
2475

Identify potential collection disciplines for application against priority information requirements.

Task
2479

Identify and mitigate risks to collection management ability to support the plan, operations and target cycle.

Task
2529

Issue requests for information.

Task
2538

Link priority collection requirements to optimal assets and resources.

Task
2597

Monitor completion of reallocated collection efforts.

Task
2604

Monitor operational status and effectiveness of the processing, exploitation and dissemination architecture.

Task
2609

Monitor the operational environment for potential factors and risks to the collection operation management process.

Task
2726

Provide advice/assistance to operations and intelligence decision makers with reassignment of collection assets and resources in response to dynamic operational situations.

Task
2793

Request discipline-specific processing, exploitation, and disseminate information collected using discipline’s collection assets and resources in accordance with approved guidance and/or procedures.

Task
2807

Review capabilities of allocated collection assets.

Task
2809

Review intelligence collection guidance for accuracy/applicability.

Task
2810

Review list of prioritized collection requirements and essential information.

Task
2812

Review and update overarching collection plan, as required.

Task
2817

Revise collection matrix based on availability of optimal assets and resources.

Task
2828

Specify changes to collection plan and/or operational environment that necessitate re-tasking or re-directing of collection assets and resources.

Task
2829

Specify discipline-specific collections and/or taskings that must be executed in the near term.

Task
2845

Synchronize the integrated employment of all available organic and partner intelligence collection assets using available collaboration capabilities and techniques.

Task
3092

Knowledge of database administration and maintenance.

Knowledge
3095

Knowledge of internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).

Knowledge
3098

Knowledge of virtualization products (Vmware, Virtual PC).

Knowledge
3116

Knowledge of all possible circumstances that would result in changing collection management authorities.

Knowledge
3131

Knowledge of available databases and tools necessary to assess appropriate collection tasking.

Knowledge
3135

Knowledge of basic computer components and architectures, including the functions of various peripherals.

Knowledge
3137

Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and enumeration).

Knowledge
3156

Knowledge of collection management tools.

Knowledge
3162

Knowledge of collection capabilities, accesses, performance specifications, and constraints utilized to satisfy collection plan.

Knowledge
3165

Knowledge of collection planning process and collection plan.

Knowledge
3175

Knowledge of leadership’s Intent and objectives.

Knowledge
3177

Knowledge of common computer/network infections (virus, Trojan, etc.) and methods of infection (ports, attachments, etc.).

Knowledge
3188

Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

Knowledge
3205

Knowledge of current computer-based intrusion sets.

Knowledge
3217

Knowledge of cyber lexicon/terminology

Knowledge
3225

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge
3253

Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).

Knowledge
3275

Knowledge of fundamental cyber concepts, principles, limitations, and effects.

Knowledge
3286

Knowledge of host-based security products and how they affect exploitation and vulnerability.

Knowledge
3291

Knowledge of how internet applications work (SMTP email, web-based email, chat clients, VOIP).

Knowledge
3292

Knowledge of how modern digital and telephony networks impact cyber operations.

Knowledge
3293

Knowledge of how modern wireless communications systems impact cyber operations.

Knowledge
3298

Knowledge of how to extract, analyze, and use metadata.

Knowledge
3322

Knowledge of indications and warning.

Knowledge
3325

Knowledge of information needs.

Knowledge
3332

Knowledge of tasking processes for organic and subordinate collection assets.

Knowledge
3361

Knowledge of key cyber threat actors and their equities.

Knowledge
3362A

Knowledge of key factors of the operational environment and related threats and vulnerabilities.

Knowledge
3374

Knowledge of malware.

Knowledge
3389

Knowledge of organization objectives and associated demand on collection management.

Knowledge
3417

Knowledge of non-traditional collection methodologies.

Knowledge
3420

Knowledge of ongoing and future operations.

Knowledge
3424

Knowledge of operational asset constraints.

Knowledge
3428

Knowledge of organization formats of resource and asset readiness reporting, its operational relevance and intelligence collection impact.

Knowledge
3430

Knowledge of organizational priorities, legal authorities and requirements submission processes.

Knowledge
3441

Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.

Knowledge
3470

Knowledge of risk management and mitigation strategies.

Knowledge
3541

Knowledge of the available tools and applications associated with collection requirements and collection management.

Knowledge
3543

Knowledge of the basic structure, architecture, and design of modern communication networks.

Knowledge
3545

Knowledge of the basics of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

Knowledge
3549

Knowledge of the capabilities and limitations of new and emerging collection capabilities, accesses and/or processes.

Knowledge
3552

Knowledge of the capabilities, limitations and tasking methodologies of internal and external collections as they apply to planned cyber activities.

Knowledge
3557

Knowledge of collection strategies.

Knowledge
3558

Knowledge of the priority information requirements from subordinate, lateral and higher levels of the organization.

Knowledge
3561

Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

Knowledge
3574

Knowledge of the existent tasking, collection, processing, exploitation and dissemination architecture.

Knowledge
3595

Knowledge of the organization, roles and responsibilities of higher, lower and adjacent sub-elements.

Knowledge
3598

Knowledge of the organizational plans/directives/guidance that describe objectives.

Knowledge
3599

Knowledge of the organizational policies/procedures for temporary transfer of collection authority.

Knowledge
3602

Knowledge of the POC’s, databases, tools and applications necessary to establish environment preparation and surveillance products.

Knowledge
3624

Knowledge of different organization objectives at all levels, including subordinate, lateral and higher.

Knowledge
3625

Knowledge of the organization’s established format for collection plan.

Knowledge
3626

Knowledge of the organization’s planning, operations and targeting cycles.

Knowledge
3631

Knowledge of internal and external partner organization capabilities and limitations (those with tasking, collection, processing, exploitation and dissemination responsibilities).

Knowledge
3633

Knowledge of tipping, cueing, mixing, and redundancy.

Knowledge
3650

Knowledge of priority information, how it is derived, where it is published, how to access, etc.

Knowledge
3651

Knowledge of what constitutes a “threat” to a network.

Knowledge
3654

Knowledge of who the organization’s operational planners are, how and where they can be contacted, and what are their expectations.

Knowledge
3957

Skill to access information on current assets available, usage.

Skill
3960

Skill to access the databases where plans/directives/guidance are maintained.

Skill
3977

Skill to articulate a needs statement/requirement and integrate new and emerging collection capabilities, accesses and/or processes into collection operations.

Skill
3985

Skill to associate Intelligence gaps to priority information requirements and observables.

Skill
3986

Skill to compare and contrast indicators/observables with requirements.

Skill
3995

Ability to correctly employ each organization or element into the collection plan and matrix.

Ability
4016

Skill to evaluate the capabilities, limitations and tasking methodologies of organic, theater, national, coalition and other collection capabilities.

Skill
4025

Skill to identify Intelligence gaps.

Skill
4027

Skill to identify when priority information requirements are satisfied.

Skill
4029

Skill to translate the capabilities, limitations and tasking methodologies of organic, theater, national, coalition and other collection capabilities.

Skill
4044

Skill to optimize collection system performance through repeated adjustment, testing, and re-adjustment.

Skill
4113

Knowledge of the request for information process.

Knowledge
All-Source Collection Requirements Manager Work Role ID: 312 (NIST: CO-CL-002) Workforce Element: Intelligence (Cyberspace)

Evaluates collection operations and develops effects-based collection requirements strategies using available sources and methods to improve collection. Develops, processes, validates, and coordinates submission of collection requirements. Evaluates performance of collection assets and collection operations.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2015

Analyze feedback to determine extent to which collection products and services are meeting requirements.

Task
2017

Analyze incoming collection requests.

Task
2021

Analyze plans, directives, guidance and policy for factors that would influence collection management’s operational structure and requirement s (e.g., duration, scope, communication requirements, interagency/international agreements).

Task
2053

Assess the effectiveness of collections in satisfying priority information gaps, using available capabilities and methods, and then adjust collection strategies and collection requirements accordingly.

Task
2093

Collaborate with customer to define information requirements.

Task
2245

Develop a method for comparing collection reports to outstanding requirements to identify information gaps.

Task
2375

Validate the link between collection requests and critical information requirements and priority intelligence requirements of leadership.

Task
2398

Evaluate the effectiveness of collection operations against the collection plan.

Task
2857

Translate collection requests into applicable discipline-specific collection requirements.

Task
3010

Ability to apply collaborative skills and strategies.

Ability
3011

Ability to apply critical reading/thinking skills.

Ability
3102

Knowledge of operational planning processes.

Knowledge
3380

Knowledge of methods for ascertaining collection asset posture and availability.

Knowledge
3557

Knowledge of collection strategies.

Knowledge
4024

Skill to identify and apply tasking, collection, processing, exploitation and dissemination to associated collection disciplines.

Skill
4066

Skill to use collaborative tools and environments.

Skill
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
52

Knowledge of human-computer interaction principles.

Knowledge
87

Knowledge of network traffic analysis methods.

Knowledge
2046

Assess efficiency of existing information exchange and management systems.

Task
2051

Assess performance of collection assets against prescribed specifications.

Task
2082

Close requests for information once satisfied.

Task
2098

Compile lessons learned from collection management activity’s execution of organization collection objectives.

Task
2111

Conduct formal and informal coordination of collection requirements in accordance with established guidelines and procedures.

Task
2311

Develop procedures for providing feedback to collection managers, asset managers, and processing, exploitation and dissemination centers.

Task
2341

Disseminate reports to inform decision makers on collection issues.

Task
2347

Conduct and document an assessment of the collection results using established procedures.

Task
2384

Evaluate extent to which collected information and/or produced intelligence satisfy information requests.

Task
2397

Evaluate extent to which collection operations are synchronized with operational requirements.

Task
2451

Identify collaboration forums that can serve as mechanisms for coordinating processes, functions, and outputs with specified organizations and functional groups.

Task
2479

Identify and mitigate risks to collection management ability to support the plan, operations and target cycle.

Task
2514

Inform stakeholders (e.g., collection managers, asset managers, processing, exploitation and dissemination centers) of evaluation results using established procedures.

Task
2529

Issue requests for information.

Task
2587

Modify collection requirements as necessary.

Task
2727

Provide advisory and advocacy support to promote collection planning as an integrated component of the strategic campaign plans and other adaptive plans.

Task
2807

Review capabilities of allocated collection assets.

Task
2809

Review intelligence collection guidance for accuracy/applicability.

Task
2810

Review list of prioritized collection requirements and essential information.

Task
2827

Solicit and manage to completion feedback from requestors on quality, timeliness, and effectiveness of collection against collection requirements.

Task
2835

Submit information requests to collection requirement management section for processing as collection requests.

Task
2856

Track status of information requests, including those processed as collection requests and production requirements, using established procedures.

Task
2867

Use feedback results (e.g., lesson learned) to identify opportunities to improve collection management efficiency and effectiveness.

Task
2875

Validate requests for information according to established criteria.

Task
3092

Knowledge of database administration and maintenance.

Knowledge
3098

Knowledge of virtualization products (Vmware, Virtual PC).

Knowledge
3116

Knowledge of all possible circumstances that would result in changing collection management authorities.

Knowledge
3127

Knowledge of asset availability, capabilities and limitations.

Knowledge
3128

Knowledge of tasking mechanisms.

Knowledge
3131

Knowledge of available databases and tools necessary to assess appropriate collection tasking.

Knowledge
3135

Knowledge of basic computer components and architectures, including the functions of various peripherals.

Knowledge
3137

Knowledge of basic malicious activity concepts (e.g., foot printing, scanning and enumeration).

Knowledge
3148

Knowledge of collection capabilities and limitations.

Knowledge
3156

Knowledge of collection management tools.

Knowledge
3160

Knowledge of collaborative tools and environments.

Knowledge
3162

Knowledge of collection capabilities, accesses, performance specifications, and constraints utilized to satisfy collection plan.

Knowledge
3165

Knowledge of collection planning process and collection plan.

Knowledge
3175

Knowledge of leadership’s Intent and objectives.

Knowledge
3188

Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

Knowledge
3195

Knowledge of criteria for evaluating collection products.

Knowledge
3204

Knowledge of current collection requirements.

Knowledge
3217

Knowledge of cyber lexicon/terminology

Knowledge
3225

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge
3234

Knowledge of databases, portals and associated dissemination vehicles.

Knowledge
3253

Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).

Knowledge
3262

Knowledge of evolving/emerging communications technologies.

Knowledge
3275

Knowledge of fundamental cyber concepts, principles, limitations, and effects.

Knowledge
3291

Knowledge of how internet applications work (SMTP email, web-based email, chat clients, VOIP).

Knowledge
3292

Knowledge of how modern digital and telephony networks impact cyber operations.

Knowledge
3293

Knowledge of how modern wireless communications systems impact cyber operations.

Knowledge
3297

Knowledge of how to establish priorities for resources.

Knowledge
3322

Knowledge of indications and warning.

Knowledge
3325

Knowledge of information needs.

Knowledge
3361

Knowledge of key cyber threat actors and their equities.

Knowledge
3362A

Knowledge of key factors of the operational environment and related threats and vulnerabilities.

Knowledge
3374

Knowledge of malware.

Knowledge
3389

Knowledge of organization objectives and associated demand on collection management.

Knowledge
3417

Knowledge of non-traditional collection methodologies.

Knowledge
3420

Knowledge of ongoing and future operations.

Knowledge
3424

Knowledge of operational asset constraints.

Knowledge
3430

Knowledge of organizational priorities, legal authorities and requirements submission processes.

Knowledge
3441

Knowledge of physical and logical network devices and infrastructure to include hubs, switches, routers, firewalls, etc.

Knowledge
3464

Knowledge of research strategies and knowledge management.

Knowledge
3470

Knowledge of risk management and mitigation strategies.

Knowledge
3541

Knowledge of the available tools and applications associated with collection requirements and collection management.

Knowledge
3543

Knowledge of the basic structure, architecture, and design of modern communication networks.

Knowledge
3545

Knowledge of the basics of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

Knowledge
3549

Knowledge of the capabilities and limitations of new and emerging collection capabilities, accesses and/or processes.

Knowledge
3552

Knowledge of the capabilities, limitations and tasking methodologies of internal and external collections as they apply to planned cyber activities.

Knowledge
3556

Knowledge of collection management functionality (e.g., positions, functions, responsibilities, products, reporting requirements).

Knowledge
3558

Knowledge of the priority information requirements from subordinate, lateral and higher levels of the organization.

Knowledge
3561

Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

Knowledge
3568

Knowledge of the definition of collection management and collection management authority.

Knowledge
3574

Knowledge of the existent tasking, collection, processing, exploitation and dissemination architecture.

Knowledge
3575

Knowledge of the factors of threat that could impact collection operations.

Knowledge
3595

Knowledge of the organization, roles and responsibilities of higher, lower and adjacent sub-elements.

Knowledge
3599

Knowledge of the organizational policies/procedures for temporary transfer of collection authority.

Knowledge
3602

Knowledge of the POC’s, databases, tools and applications necessary to establish environment preparation and surveillance products.

Knowledge
3624

Knowledge of different organization objectives at all levels, including subordinate, lateral and higher.

Knowledge
3625

Knowledge of the organization’s established format for collection plan.

Knowledge
3626

Knowledge of the organization’s planning, operations and targeting cycles.

Knowledge
3631

Knowledge of internal and external partner organization capabilities and limitations (those with tasking, collection, processing, exploitation and dissemination responsibilities).

Knowledge
3633

Knowledge of tipping, cueing, mixing, and redundancy.

Knowledge
3650

Knowledge of priority information, how it is derived, where it is published, how to access, etc.

Knowledge
3651

Knowledge of what constitutes a “threat” to a network.

Knowledge
3663

Knowledge of tasking, collection, processing, exploitation and dissemination.

Knowledge
3957

Skill to access information on current assets available, usage.

Skill
3960

Skill to access the databases where plans/directives/guidance are maintained.

Skill
3985

Skill to associate Intelligence gaps to priority information requirements and observables.

Skill
3986

Skill to compare and contrast indicators/observables with requirements.

Skill
3994

Ability to coordinate, collaborate and disseminate information to subordinate, lateral and higher-level organizations.

Ability
4012

Skill to ensure that the collection strategy leverages all available resources.

Skill
4016

Skill to evaluate the capabilities, limitations and tasking methodologies of organic, theater, national, coalition and other collection capabilities.

Skill
4025

Skill to identify Intelligence gaps.

Skill
4027

Skill to identify when priority information requirements are satisfied.

Skill
4028

Skill to implement established procedures for evaluating collection management and operations activities.

Skill
4033

Skill to interpret readiness reporting, its operational relevance and intelligence collection impact.

Skill
4049

Skill to prepare and deliver reports, presentations and briefings, to include using visual aids or presentation technology.

Skill
4055

Skill to resolve conflicting collection requirements.

Skill
4056

Skill to review performance specifications and historical information about collection assets.

Skill
4057

Skill to specify collections and/or taskings that must be conducted in the near term.

Skill
4063

Skill to evaluate requests for information to determine if response information exists.

Skill
4065

Skill to use systems and/or tools to track collection requirements and determine whether or not they are satisfied.

Skill
4113

Knowledge of the request for information process.

Knowledge
Cyber Intelligence Planner Work Role ID: 331 (NIST: CO-PL-001) Workforce Element: Intelligence (Cyberspace)

Develops detailed intelligence plans to satisfy cyber operations requirements. Collaborates with cyber operations planners to identify, validate, and levy requirements for collection and analysis. Participates in targeting selection, validation, synchronization, and execution of cyber actions. Synchronizes intelligence activities to support organization objectives in cyberspace.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
264

Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage).

Knowledge
1056

Knowledge of operations security.

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2009

Provide input to the analysis, design, development or acquisition of capabilities used for meeting objectives.

Task
2043

Coordinate for intelligence support to operational planning activities.

Task
2045

Assess all-source intelligence and recommend targets to support cyber operation objectives.

Task
2052

Assess target vulnerabilities and/or operational capabilities to determine course of action.

Task
2064

Assist in the development and refinement of priority information requirements.

Task
2070

Enable synchronization of intelligence support plans across partner organizations as required.

Task
2159

Contribute to crisis action planning for cyber operations.

Task
2163

Incorporate intelligence equities into the overall design of cyber operations plans.

Task
2181

Coordinate with intelligence planners to ensure collection managers receive information requirements.

Task
2185

Coordinate with the intelligence planning team to assess capability to satisfy assigned intelligence tasks.

Task
2186

Coordinate, produce and track intelligence requirements.

Task
2187

Coordinate, synchronize and draft applicable intelligence sections of cyber operations plans.

Task
2237

Determine indicators (e.g., measures of effectiveness) that are best suited to specific cyber operation objectives.

Task
2267

Develop and review intelligence guidance for integration into supporting cyber operations planning and execution.

Task
2276

Develop detailed intelligence support to cyber operations requirements.

Task
2352

Draft cyber intelligence collection and production requirements.

Task
2368

Ensure that intelligence planning activities are integrated and synchronized with operational planning timelines.

Task
2386

Evaluate intelligence estimates to support the planning cycle.

Task
2425

Incorporate intelligence and counterintelligence to support plan development.

Task
2442

Identify, draft, evaluate, and prioritize relevant intelligence or information requirements.

Task
2459A

Identify cyber intelligence gaps and shortfalls.

Task
2484

Identify the need, scope, and timeframe for applicable intelligence environment preparation derived production.

Task
2509

Provide input to or develop courses of action based on threat factors.

Task
2529

Issue requests for information.

Task
2530

Knowledge and understanding of operational design.

Knowledge
2531

Knowledge of organizational planning concepts.

Knowledge
2532

Lead and coordinate intelligence support to operational planning.

Task
2558

Maintain relationships with internal and external partners involved in cyber planning or related areas.

Task
2619

Provide subject matter expertise to planning teams, coordination groups, and task forces as necessary.

Task
2624

Conduct long-range, strategic planning efforts with internal and external partners in cyber activities.

Task
2736

Provide cyber focused guidance and advice on intelligence support plan inputs.

Task
2778

Recommend refinement, adaption, termination, and execution of operational plans as appropriate.

Task
2806

Review and comprehend organizational leadership objectives and guidance for planning.

Task
2819

Scope the cyber intelligence planning effort.

Task
2888

Document lessons learned that convey the results of events and/or exercises.

Task
3003

Ability to adjust to and operate in a diverse, unpredictable, challenging, and fast-paced work environment.

Ability
3011

Ability to apply critical reading/thinking skills.

Ability
3015

Ability to apply approved planning development and staffing processes.

Ability
3021

Ability to collaborate effectively with others.

Ability
3022

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Ability
3033

Ability to coordinate cyber operations with other organization functions or support activities.

Ability
3040

Ability to develop or recommend planning solutions to problems and situations for which no precedent exists.

Ability
3041

Ability to effectively collaborate via virtual teams.

Ability
3044

Ability to exercise judgment when policies are not well-defined.

Ability
3048

Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—in order to leverage analytical and technical expertise.

Ability
3060

Ability to interpret and understand complex and rapidly evolving concepts.

Ability
3066

Ability to participate as a member of planning teams, coordination groups, and task forces as necessary.

Ability
3076

Ability to tailor technical and planning information to a customer’s level of understanding.

Ability
3106

Knowledge of a wide range of basic communications media concepts and terminology (e.g., computer and telephone networks, satellite, cable, wireless).

Knowledge
3107

Knowledge of a wide range of concepts associated with websites (e.g., website types, administration, functions, software systems, etc.).

Knowledge
3114

Knowledge of all forms of intelligence support needs, topics, and focus areas.

Knowledge
3117

Knowledge of all-source reporting and dissemination procedures.

Knowledge
3129

Knowledge of attack methods and techniques (DDoS, brute force, spoofing, etc.).

Knowledge
3154

Knowledge of classification and control markings standards, policies and procedures.

Knowledge
3155

Knowledge of client organizations, including information needs, objectives, structure, capabilities, etc.

Knowledge
3159

Knowledge of cyber operations support or enabling processes.

Knowledge
3174

Knowledge of the intelligence requirements development and request for information processes.

Knowledge
3177

Knowledge of common computer/network infections (virus, Trojan, etc.) and methods of infection (ports, attachments, etc.).

Knowledge
3188

Knowledge of computer networking fundamentals (i.e., basic computer components of a network, types of networks, etc.).

Knowledge
3194

Knowledge of crisis action planning and time sensitive planning procedures.

Knowledge
3215

Knowledge of cyber actions (i.e. cyber defense, information gathering, environment preparation, cyber attack) principles, capabilities, limitations, and effects.

Knowledge
3225

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge
3257

Knowledge of target and threat organization structures, critical capabilities, and critical vulnerabilities.

Knowledge
3264

Knowledge of existing, emerging, and long-range issues related to cyber operations strategy, policy, and organization.

Knowledge
3274

Knowledge of fundamental cyber operations concepts, terminology/lexicon (i.e., environment preparation, cyber attack, cyber defense), principles, capabilities, limitations, and effects.

Knowledge
3275

Knowledge of fundamental cyber concepts, principles, limitations, and effects.

Knowledge
3287

Knowledge of how collection requirements and information needs are translated, tracked, and prioritized across the extended enterprise.

Knowledge
3311

Knowledge of analytical standards and the purpose of intelligence confidence levels.

Knowledge
3336

Knowledge of intelligence employment requirements (i.e., logistical, communications support, maneuverability, legal restrictions, etc.).

Knowledge
3340

Knowledge of intelligence requirements tasking systems.

Knowledge
3342

Knowledge of intelligence support to planning, execution, and assessment.

Knowledge
3388

Knowledge of crisis action planning for cyber operations.

Knowledge
3397

Knowledge of intelligence capabilities and limitations.

Knowledge
3443

Knowledge of PIR approval process.

Knowledge
3444

Knowledge of planning activity initiation.

Knowledge
3445

Knowledge of planning timelines adaptive, crisis action, and time-sensitive planning.

Knowledge
3463

Knowledge of required intelligence planning products associated with cyber operational planning.

Knowledge
3489

Knowledge of organizational structures and associated intelligence capabilities.

Knowledge
3554

Knowledge of the critical information requirements and how they’re used in planning.

Knowledge
3560

Knowledge of the production responsibilities and organic analysis and production capabilities.

Knowledge
3561

Knowledge of the common networking and routing protocols(e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.

Knowledge
3582

Knowledge of the intelligence frameworks, processes, and related systems.

Knowledge
3584

Knowledge of intelligence preparation of the environment and similar processes.

Knowledge
3585

Knowledge of accepted organization planning systems.

Knowledge
3606

Knowledge of the process used to assess the performance and impact of operations.

Knowledge
3609

Knowledge of the range of cyber operations and their underlying intelligence support needs, topics, and focus areas.

Knowledge
3610

Knowledge of the relationships between end states, objectives, effects, lines of operation, etc.

Knowledge
3611

Knowledge of the relationships of operational objectives, intelligence requirements, and intelligence production tasks.

Knowledge
3629

Knowledge of the various collection disciplines and capabilities.

Knowledge
3651

Knowledge of what constitutes a “threat” to a network.

Knowledge
3659

Knowledge of wireless technologies (e.g., cellular, satellite, GSM) to include the basic structure, architecture, and design of modern wireless communications systems.

Knowledge
3665

Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.

Skill
3681

Skill in applying analytical methods typically employed to support planning and to justify recommended strategies and courses of action.

Skill
3685

Skill in applying crisis planning procedures.

Skill
3742

Skill in determining the physical location of network devices.

Skill
3772

Skill in evaluating information for reliability, validity, and relevance.

Skill
3844

Skill in preparing and presenting briefings.

Skill
3845

Skill in preparing plans and related correspondence.

Skill
3879

Skill in reviewing and editing plans.

Skill
3938

Skill in utilizing feedback in order to improve processes, products, and services.

Skill
3965

Skill to analyze strategic guidance for issues requiring clarification and/or additional guidance.

Skill
3966

Skill to anticipate intelligence capability employment requirements.

Skill
3967

Skill to anticipate key target or threat activities which are likely to prompt a leadership decision.

Skill
3971

Skill to apply analytical standards to evaluate intelligence products.

Skill
3976

Skill to apply the process used to assess the performance and impact of cyber operations.

Skill
3978

Skill to articulate the needs of joint planners to all-source analysts.

Skill
3979

Skill to articulate intelligence capabilities available to support execution of the plan.

Skill
3987

Skill to conceptualize the entirety of the intelligence process in the multiple domains and dimensions.

Skill
3990

Skill to convert intelligence requirements into intelligence production tasks.

Skill
3992

Skill to coordinate the development of tailored intelligence products.

Skill
3996

Skill to correlate intelligence priorities to the allocation of intelligence resources/assets.

Skill
3998

Skill to craft indicators of operational progress/success.

Skill
4000

Skill to create and maintain up-to-date planning documents and tracking of services/production.

Skill
4018

Skill to express orally and in writing the relationship between intelligence capability limitations and decision making risk and impacts on the overall operation.

Skill
4032

Skill to interpret planning guidance to discern level of analytical support required.

Skill
4045

Skill to orchestrate intelligence planning teams, coordinate collection and production support, and monitor status.

Skill
4053

Skill to relate intelligence resources/assets to anticipated intelligence requirements.

Skill
4059

Skill to synchronize planning activities and required intelligence support.

Skill
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
52

Knowledge of human-computer interaction principles.

Knowledge
2058

Assist and advise inter-agency partners in identifying and developing best practices for facilitating operational support to achievement of organization objectives.

Task
2073

Provide input to the identification of cyber-related success criteria.

Task
2091

Collaborate with other team members or partner organizations to develop a diverse program of information materials (e.g., web pages, briefings, print materials).

Task
2160

Contribute to the development of the organization’s decision support tools if necessary.

Task
2192

Use intelligence estimates to counter potential target actions.

Task
2310

Develop potential courses of action.

Task
2327

Develop, implement, and recommend changes to appropriate planning procedures and policies.

Task
2392

Evaluate the conditions that affect employment of available cyber intelligence capabilities.

Task
2435

Identify all available partner intelligence capabilities and limitations supporting cyber operations.

Task
2528

Interpret environment preparations assessments to determine a course of action.

Task
2564

Maintain situational awareness to determine if changes to the operating environment require review of the plan.

Task
2702

Prepare for and provide subject matter expertise to exercises.

Task
3001

Ability to accurately and completely source all data used in intelligence, assessment and/or planning products.

Ability
3054

Ability to identify external partners with common cyber operations interests.

Ability
3057

Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.

Ability
3095

Knowledge of internet network addressing (IP addresses, classless inter-domain routing, TCP/UDP port numbering).

Knowledge
3098

Knowledge of virtualization products (Vmware, Virtual PC).

Knowledge
3205

Knowledge of current computer-based intrusion sets.

Knowledge
3211

Knowledge of cyber laws and legal considerations and their effect on cyber planning.

Knowledge
3235

Knowledge of deconfliction processes and procedures.

Knowledge
3253

Knowledge of encryption algorithms and cyber capabilities/tools (e.g., SSL, PGP).

Knowledge
3262

Knowledge of evolving/emerging communications technologies.

Knowledge
3271

Knowledge of internal and external partner cyber operations capabilities and tools.

Knowledge
3286

Knowledge of host-based security products and how they affect exploitation and vulnerability.

Knowledge
3291

Knowledge of how internet applications work (SMTP email, web-based email, chat clients, VOIP).

Knowledge
3292

Knowledge of how modern digital and telephony networks impact cyber operations.

Knowledge
3293

Knowledge of how modern wireless communications systems impact cyber operations.

Knowledge
3326

Knowledge of information security concepts, facilitating technologies and methods.

Knowledge
3356

Knowledge of organization policies and planning concepts for partnering with internal and/or external organizations.

Knowledge
3358

Knowledge of organizational hierarchy and cyber decision making processes.

Knowledge
3374

Knowledge of malware.

Knowledge
3391

Knowledge of objectives, situation, operational environment, and the status and disposition of internal and external partner collection capabilities available to support planning.

Knowledge
3419

Knowledge of organization or partner exploitation of digital networks.

Knowledge
3459

Knowledge of the functions and capabilities of internal teams that emulate threat activities to benefit the organization.

Knowledge
3539

Knowledge of telecommunications fundamentals.

Knowledge
3543

Knowledge of the basic structure, architecture, and design of modern communication networks.

Knowledge
3545

Knowledge of the basics of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

Knowledge
3570

Knowledge of the organizational structure as it pertains to full spectrum cyber operations, including the functions, responsibilities, and interrelationships among distinct internal elements.

Knowledge
3571

Knowledge of the organizational planning and staffing process.

Knowledge
3572

Knowledge of organization decision support tools and/or methods.

Knowledge
3578

Knowledge of the impacts of internal and external partner staffing estimates.

Knowledge
3591

Knowledge of organization objectives, leadership priorities, and decision-making risks.

Knowledge
3601

Knowledge of the outputs of course of action and exercise analysis.

Knowledge
3607

Knowledge of the processes to synchronize operational assessment procedures with the critical information requirement process.

Knowledge
3615

Knowledge of the structure and intent of organization specific plans, guidance and authorizations.

Knowledge
3616

Knowledge of the structure, architecture, and design of modern digital and telephony networks.

Knowledge
3627

Knowledge of cryptologic capabilities, limitations, and contributions to cyber operations.

Knowledge
3630

Knowledge of the ways in which targets or threats use the Internet.

Knowledge
3638

Knowledge of organization issues, objectives, and operations in cyber as well as regulations and policy directives governing cyber operations.

Knowledge
3639

Knowledge of organization cyber operations programs, strategies, and resources.

Knowledge
3766

Skill in documenting and communicating complex technical and programmatic information.

Skill
3877

Skill in reviewing and editing intelligence products from various sources for cyber operations.

Skill
3893

Skill in tailoring analysis to the necessary levels (e.g., classification and organizational).

Skill
3946

Skill in utilizing virtual collaborative workspaces and/or tools (e.g., IWS, VTCs, chat rooms, SharePoint).

Skill
3964

Skill to analyze target or threat sources of strength and morale.

Skill
4023

Skill to graphically depict decision support materials containing intelligence and partner capability estimates.

Skill
4041

Skill to monitor threat effects to partner capabilities and maintain a running estimate.

Skill
4042

Skill to monitor target or threat situation and environmental factors.

Skill
Multi-Disciplined Language Analyst Work Role ID: 151 (NIST: AN-LA-001) Workforce Element: Intelligence (Cyberspace)

Applies language and culture expertise with target/threat and technical knowledge to process, analyze, and/or disseminate intelligence information derived from language, voice and/or graphic material. Creates, and maintains language specific databases and working aids to support cyber action execution and ensure critical knowledge sharing. Provides subject matter expertise in foreign language-intensive or interdisciplinary projects.

Core KSATs

KSAT ID Description KSAT
22

* Knowledge of computer networking concepts and protocols, and network security methodologies.

Knowledge
108

* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).

Knowledge
1056

Knowledge of operations security.

Knowledge
1157

* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.

Knowledge
1158

* Knowledge of cybersecurity principles.

Knowledge
1159

* Knowledge of cyber threats and vulnerabilities.

Knowledge
2099

Compile, integrate, and/or interpret all-source data for intelligence or vulnerability value with respect to specific targets.

Task
2890

Advise managers and operators on language and cultural issues that impact organization objectives.

Task
2891

Analyze and process information using language and/or cultural expertise.

Task
2897

Conduct analysis of target communications to identify essential information in support of organization objectives.

Task
2902

Evaluate and interpret metadata to look for patterns, anomalies, or events, thereby optimizing targeting, analysis and processing.

Task
2905

Identify target communications within the global network.

Task
2906

Maintain awareness of target communication tools, techniques, and the characteristics of target communication networks (e.g., capacity, functionality, paths, critical nodes) and their potential implications for targeting, collection, and analysis.

Task
2910

Perform foreign language and dialect identification in initial source data.

Task
2912

Perform or support technical network analysis and mapping.

Task
2921

Scan, identify and prioritize target graphic (including machine-to-machine communications) and/or voice language material.

Task
2922

Tip critical or time-sensitive information to appropriate customers.

Task
2923

Transcribe target voice materials in the target language.

Task
2924

Translate (e.g., verbatim, gists, and/or summaries) target graphic material.

Task
2925

Translate (e.g., verbatim, gists, and/or summaries) target voice material.

Task
2927

Identify foreign language terminology within computer programs (e.g., comments, variable names).

Task
2930

Provide near-real time language analysis support (e.g., live operations).

Task
2931

Identify cyber/technology-related terminology in the target language.

Task
3022

Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.

Ability
3106

Knowledge of a wide range of basic communications media concepts and terminology (e.g., computer and telephone networks, satellite, cable, wireless).

Knowledge
3154

Knowledge of classification and control markings standards, policies and procedures.

Knowledge
3158

Knowledge of cyber operation objectives, policies, and legalities.

Knowledge
3219

Knowledge of cyber operations.

Knowledge
3225

Knowledge of data communications terminology (e.g., networking protocols, Ethernet, IP, encryption, optical devices, removable media).

Knowledge
3298

Knowledge of how to extract, analyze, and use metadata.

Knowledge
3338

Knowledge of intelligence reporting principles, policies, procedures, and vehicles, including report formats, reportability criteria (requirements and priorities), dissemination practices, and legal authorities and restrictions.

Knowledge
3407

Knowledge of network security (e.g., encryption, firewalls, authentication, honey pots, perimeter protection).

Knowledge
3450

Knowledge of principles and practices related to target development such as target knowledge, associations, communication systems, and infrastructure.

Knowledge
3534

Knowledge of target, including related current events, communication profile, actors, and history (language, culture) and/or frame of reference.

Knowledge
3616

Knowledge of the structure, architecture, and design of modern digital and telephony networks.

Knowledge
3617

Knowledge of the structure, architecture, and design of modern wireless communications systems.

Knowledge
3678

Skill in analyzing traffic to identify network devices.

Skill
3689

Skill in applying various analytical methods, tools, and techniques (e.g., competing hypotheses; chain of reasoning; scenario methods; denial and deception detection; high impact-low probability; network/association or link analysis; Bayesian, Delphi, and Pattern analyses).

Skill
3708A

Skill in conducting social network analysis.

Skill
3765

Skill in disseminating items of highest intelligence value in a timely manner.

Skill
3867A

Skill in recognizing technical information that may be used for target development including intelligence development.

Skill
4086

Knowledge of relevant laws, regulations, and policies.

Knowledge
4087

Knowledge of target cultural references, dialects, expressions, idioms, and abbreviations.

Knowledge
4094

Knowledge of networking and internet communications fundamentals (i.e. devices, device configuration, hardware, software, applications, ports/protocols, addressing, network architecture and infrastructure, routing, operating systems, etc.).

Knowledge
4105

Knowledge of language processing tools and techniques.

Knowledge
4106

Knowledge of analytic tools and techniques.

Knowledge
4116

Knowledge of transcript development processes and techniques (e.g., verbatim, gists, summaries).

Knowledge
4117

Knowledge of translation processes and techniques.

Knowledge
4123

Skill in conducting research using all available sources.

Skill
4124

Skill in translating target graphic and/or voice language materials.

Skill
4125

Skill in complying with the legal restrictions for targeted information.

Skill
4128

Skill in developing intelligence reports.

Skill
4129

Skill in evaluating and interpreting metadata.

Skill
4133

Skill in gisting target communications.

Skill
4135

Skill in identifying non-target regional languages and dialects

Skill
4140

Skill in prioritizing target language material.

Skill
4141

Skill in providing analysis on target-related matters (e.g., language, cultural, communications).

Skill
4148

Ability to review processed target language materials for accuracy and completeness.

Ability
4149

Skill in transcribing target language communications.

Skill
4152

Knowledge of specialized target language (e.g., acronyms, jargon, technical terminology, codewords).

Knowledge
4165

Knowledge of obfuscation techniques (e.g., TOR/Onion/anonymizers, VPN/VPS, encryption).

Knowledge
4167

Knowledge of target language(s).

Knowledge
4169

Ability to apply language and cultural expertise to analysis.

Ability
6900

* Knowledge of specific operational impacts of cybersecurity lapses.

Knowledge

Additional KSATs

KSAT ID Description KSAT
915

Knowledge of front-end collection systems, including traffic collection, filtering, and selection.

Knowledge
2243

Determine what technologies are used by a given target.

Task
2434

Identify threat tactics, and methodologies.

Task
2453

Identify collection gaps and potential collection strategies against targets.

Task
2568

Make recommendations to guide collection in support of customer requirements.

Task
2621

Provide SME and support to planning/developmental forums and working groups as appropriate.

Task
2893

Assess, document, and apply a target’s motivation and/or frame of reference to facilitate analysis, targeting and collection opportunities.

Task
2894

Collaborate across internal and/or external organizational lines to enhance collection, analysis and dissemination.

Task
2896

Conduct all-source target research to include the use of open source materials in the target language.

Task
2901

Perform quality review and provide feedback on transcribed or translated materials.

Task
2909

Provide feedback to collection managers to enhance future collection and analysis.

Task
2916

Provide requirements and feedback to optimize the development of language processing tools.

Task
2919

Perform social network analysis and document as appropriate.

Task
3048

Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—in order to leverage analytical and technical expertise.

Ability
3262

Knowledge of evolving/emerging communications technologies.

Knowledge
3564

Knowledge of the data flow from collection origin to repositories and tools.

Knowledge
3595

Knowledge of the organization, roles and responsibilities of higher, lower and adjacent sub-elements.

Knowledge
3771

Skill in evaluating data sources for relevance, reliability, and objectivity.

Skill
3772

Skill in evaluating information for reliability, validity, and relevance.

Skill
3822

Skill in managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results.

Skill
3861

Skill in recognizing denial and deception techniques of the target.

Skill
3865

Skill in recognizing significant changes in a target’s communication patterns.

Skill
3890

Skill in synthesizing, analyzing, and prioritizing meaning across data sets.

Skill
3923

Skill in using non-attributable networks.

Skill
4072

Knowledge of collection systems, capabilities, and processes.

Knowledge
4073

Knowledge of the feedback cycle in collection processes.

Knowledge
4078

Knowledge of target or threat cyber actors and procedures.

Knowledge
4079

Knowledge of basic cyber operations activity concepts (e.g., foot printing, scanning and enumeration, penetration testing, white/black listing).

Knowledge
4085

Knowledge of approved intelligence dissemination processes.

Knowledge
4088

Knowledge of target communication profiles and their key elements (e.g., target associations, activities, communication infrastructure).

Knowledge
4089

Knowledge of target communication tools and techniques.

Knowledge
4090

Knowledge of the characteristics of targeted communication networks (e.g., capacity, functionality, paths, critical nodes).

Knowledge
4095

Knowledge of concepts related to websites (e.g., web servers/pages, hosting, DNS, registration, web languages such as HTML).

Knowledge
4097

Knowledge of network security implementations (e.g., host-based IDS, IPS, access control lists), including their function and placement in a network.

Knowledge
4099

Knowledge of customer information needs.

Knowledge
4108

Knowledge of the impact of language analysis on on-net operator functions.

Knowledge
4113

Knowledge of the request for information process.

Knowledge
4118

Skill in identifying a target’s network characteristics.

Skill
4119

Skill in analyzing language processing tools to provide feedback to enhance tool development.

Skill
4121

Skill in assessing a target’s frame of reference (e.g., motivation, technical capability, organizational structure, sensitivities).

Skill
4134

Skill in identifying intelligence gaps and limitations.

Skill
4160

Skill in interpreting traceroute results, as they apply to network analysis and reconstruction.

Skill
4164

Skill in identifying language issues that may have an impact on organization objectives.

Skill
4166

Knowledge of computer programming concepts, including computer languages, programming, testing, debugging, and file types.

Knowledge