PD-WRL-003
Incident Response OPM Code: 531

Protects against, identifies, and analyzes risks to technology systems or networks. Includes investigation of cybersecurity events or crimes related to technology systems and networks.

Responsible for investigating, analyzing, and responding to network cybersecurity incidents.

Code Description Work Roles
T0164 Perform cyber defense trend analysis and reporting 2
T0262 Employ approved defense-in-depth principles and practices (e.g., defense-in-multiple places, layered defenses, security robustness) 1
T0510 Coordinate incident response functions 1
T1020 Determine the operational and safety impacts of cybersecurity lapses 37
T1084 Identify anomalous network activity 9
T1085 Identify potential threats to network resources 3
T1109 Resolve cyber defense incidents 1
T1110 Coordinate technical support to enterprise-wide cybersecurity defense technicians 1
T1118 Identify vulnerabilities 7
T1119 Recommend vulnerability remediation strategies 8
T1250 Perform cyber defense incident triage 1
T1251 Recommend incident remediation strategies 1
T1252 Determine the scope, urgency, and impact of cyber defense incidents 1
T1256 Perform forensically sound image collection 2
T1257 Recommend mitigation and remediation strategies for enterprise systems 1
T1260 Perform real-time cyber defense incident handling 2
T1299 Determine causes of network alerts 2
T1315 Track cyber defense incidents from initial detection through final resolution 1
T1316 Document cyber defense incidents from initial detection through final resolution 1
T1332 Produce incident findings reports 2
T1333 Communicate incident findings to appropriate constituencies 1
T1370 Collect intrusion artifacts 3
T1371 Mitigate potential cyber defense incidents 2
T1372 Advise law enforcement personnel as technical expert 2
T1407 Correlate threat assessment data 2
T1485 Prepare after action reviews (AARs) 2
T1489 Correlate incident data 7
T1582 Maintain currency of cyber defense threat conditions 2
T1617 Prepare cyber defense reports 2
Code Description Work Roles
K0674 Knowledge of computer networking protocols 40
K0675 Knowledge of risk management processes 41
K0676 Knowledge of cybersecurity laws and regulations 41
K0677 Knowledge of cybersecurity policies and procedures 41
K0678 Knowledge of privacy laws and regulations 41
K0679 Knowledge of privacy policies and procedures 41
K0680 Knowledge of cybersecurity principles and practices 40
K0681 Knowledge of privacy principles and practices 40
K0682 Knowledge of cybersecurity threats 40
K0683 Knowledge of cybersecurity vulnerabilities 40
K0684 Knowledge of cybersecurity threat characteristics 40
K0685 Knowledge of access control principles and practices 21
K0686 Knowledge of authentication and authorization tools and techniques 21
K0689 Knowledge of network infrastructure principles and practices 9
K0701 Knowledge of data backup and recovery policies and procedures 8
K0709 Knowledge of business continuity and disaster recovery (BCDR) policies and procedures 5
K0710 Knowledge of enterprise cybersecurity architecture principles and practices 20
K0716 Knowledge of host access control (HAC) systems and software 10
K0717 Knowledge of network access control (NAC) systems and software 10
K0718 Knowledge of network communications principles and practices 10
K0724 Knowledge of incident response principles and practices 8
K0725 Knowledge of incident response tools and techniques 8
K0726 Knowledge of incident handling tools and techniques 8
K0732 Knowledge of intrusion detection tools and techniques 4
K0746 Knowledge of policy-based access controls 15
K0747 Knowledge of Risk Adaptive (Adaptable) Access Controls (RAdAC) 15
K0751 Knowledge of system threats 40
K0752 Knowledge of system vulnerabilities 40
K0770 Knowledge of system administration principles and practices 14
K0778 Knowledge of enterprise information technology (IT) architecture principles and practices 20
K0783 Knowledge of network attack characteristics 7
K0791 Knowledge of defense-in-depth principles and practices 19
K0829 Knowledge of account creation policies and procedures 6
K0830 Knowledge of password policies and procedures 6
K0832 Knowledge of cyberattack characteristics 3
K0833 Knowledge of cyberattack actor characteristics 4
K0837 Knowledge of hardening tools and techniques 14
K0844 Knowledge of cyberattack stages 4
K0845 Knowledge of cyber intrusion activity phases 4
K0857 Knowledge of malware analysis tools and techniques 4
K0865 Knowledge of data classification standards and best practices 18
K0866 Knowledge of data classification tools and techniques 18
K0870 Knowledge of enterprise architecture (EA) reference models and frameworks 20
K0871 Knowledge of enterprise architecture (EA) principles and practices 20
K0891 Knowledge of the Open Systems Interconnect (OSI) reference model 13
K0898 Knowledge of cloud service models and frameworks 2
K0915 Knowledge of network architecture principles and practices 21
K0916 Knowledge of malware analysis principles and practices 4
K0924 Knowledge of network analysis tools and techniques 7
K0934 Knowledge of data classification policies and procedures 18
K0969 Knowledge of cyber-attack tools and techniques 7
K0983 Knowledge of computer networking principles and practices 39
K1014 Knowledge of network security principles and practices 40
K1049 Knowledge of routing protocols 3
K1079 Knowledge of web application security risks 13
Code Description Work Roles
S0077 Skill in securing network communications 3
S0080 Skill in performing damage assessments 1
S0483 Skill in identifying software communications vulnerabilities 7
S0509 Skill in evaluating security products 5
S0544 Skill in recognizing vulnerabilities 13
S0547 Skill in identifying malware 1
S0548 Skill in capturing malware 1
S0549 Skill in containing malware 1
S0550 Skill in reporting malware 1
S0572 Skill in detecting host- and network-based intrusions 5
S0589 Skill in preserving digital evidence integrity 4
S0607 Skill in collecting digital evidence 4
S0608 Skill in processing digital evidence 4
S0609 Skill in transporting digital evidence 3
S0614 Skill in categorizing types of vulnerabilities 3
S0615 Skill in protecting a network against malware 3
S0651 Skill in performing malware analysis 6
S0688 Skill in performing network data analysis 7
S0805 Skill in designing incident responses 2
S0806 Skill in performing incident responses 3
S0821 Skill in collaborating with internal and external stakeholders 9
S0854 Skill in performing data analysis 8
S0866 Skill in performing log file analysis 6