SP-RSK-002 Security Control Assessor

Conceptualizes, designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development.

Oversees, evaluates, and supports the documentation, validation, assessment, and authorization processes necessary to assure that existing and new information technology (IT) systems meet the organization's cybersecurity and risk requirements. Ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives.

Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).

Knowledges 53

Code	Description	Work Roles
K0001	Knowledge of computer networking concepts and protocols, and network security methodologies.	52
K0002	Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).	52
K0003	Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.	52
K0004	Knowledge of cybersecurity and privacy principles.	52
K0005	Knowledge of cyber threats and vulnerabilities.	52
K0006	Knowledge of specific operational impacts of cybersecurity lapses.	52
K0007	Knowledge of authentication, authorization, and access control methods.	4
K0008	Knowledge of applicable business processes and operations of customer organizations.	5
K0009	Knowledge of application vulnerabilities.	6
K0010	Knowledge of communication methods, principles, and concepts that support the network infrastructure.	3
K0011	Knowledge of capabilities and applications of network equipment including routers, switches, bridges, servers, transmission media, and related hardware.	3
K0013	Knowledge of cyber defense and vulnerability assessment tools and their capabilities.	5
K0018	Knowledge of encryption algorithms	11
K0019	Knowledge of cryptography and cryptographic key management concepts	8
K0018	Knowledge of encryption algorithms	11
K0021	Knowledge of data backup and recovery.	9
K0024	Knowledge of database systems.	7
K0026	Knowledge of business continuity and disaster recovery continuity of operations plans.	5
K0027	Knowledge of organization's enterprise information security architecture.	9
K0028	Knowledge of organization's evaluation and validation requirements.	8
K0029	Knowledge of organization's Local and Wide Area Network connections.	2
K0037	Knowledge of Security Assessment and Authorization process.	5
K0038	Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data.	6
K0040	Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins).	5
K0044	Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	14
K0048	Knowledge of Risk Management Framework (RMF) requirements.	8
K0049	Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).	8
K0054	Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.	3
K0056	Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).	11
K0059	Knowledge of new and emerging information technology (IT) and cybersecurity technologies.	12
K0070	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).	13
K0084	Knowledge of structured analysis principles and methods.	6
K0089	Knowledge of systems diagnostic tools and fault identification techniques.	3
K0098	Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization.	2
K0100	Knowledge of the enterprise information technology (IT) architecture.	2
K0101	Knowledge of the organization’s enterprise information technology (IT) goals and objectives.	8
K0126	Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161)	14
K0146	Knowledge of the organization's core business/mission processes.	10
K0168	Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.	11
K0169	Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures.	14
K0170	Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations.	12
K0179	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).	19
K0199	Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]).	6
K0203	Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).	10
K0260	Knowledge of Personally Identifiable Information (PII) data security standards.	16
K0261	Knowledge of Payment Card Industry (PCI) data security standards.	17
K0262	Knowledge of Personal Health Information (PHI) data security standards.	17
K0267	Knowledge of laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures.	8
K0287	Knowledge of an organization's information classification program and procedures for information compromise.	18
K0322	Knowledge of embedded systems.	10
K0342	Knowledge of penetration testing principles, tools, and techniques.	8
K0622	Knowledge of controls related to the use, processing, storage, and transmission of data.	6
K0624	Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)	13

Skills 68

Code	Description	Work Roles
S0001	Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.	6
S0006	Skill in applying confidentiality, integrity, and availability principles.	3
S0027	Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.	7
S0034	Skill in discerning the protection needs (i.e., security controls) of information systems and networks.	6
S0038	Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.	5
S0073	Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.).	5
S0078	Skill in recognizing and categorizing types of vulnerabilities and associated attacks.	3
S0097	Skill in applying security controls.	3
S0100	Skill in utilizing or developing learning activities (e.g., scenarios, instructional games, interactive exercises).	2
S0110	Skill in identifying Test & Evaluation infrastructure (people, ranges, tools, instrumentation) requirements.	2
S0111	Skill in interfacing with customers.	2
S0112	Skill in managing test assets, test resources, and test personnel to ensure effective completion of test events.	2
S0115	Skill in preparing Test & Evaluation reports.	2
S0120	Skill in reviewing logs to identify evidence of past intrusions.	2
S0124	Skill in troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution.	2
S0128	Skill in using manpower and personnel IT systems.	2
S0134	Skill in conducting reviews of systems.	2
S0135	Skill in secure test plan design (e. g. unit, integration, system, acceptance).	3
S0136	Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.	2
S0137	Skill in conducting application vulnerability assessments.	2
S0138	Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).	5
S0141	Skill in assessing security systems designs.	2
S0145	Skill in integrating and applying policies that meet system security objectives.	3
S0147	Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).	3
S0171	Skill in performing impact/risk assessments.	2
S0172	Skill in applying secure coding techniques.	2
S0173	Skill in using security event correlation tools.	2
S0174	Skill in using code analysis tools.	3
S0175	Skill in performing root cause analysis.	3
S0176	Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.	4
S0177	Skill in analyzing a target's communication networks.	2
S0184	Skill in analyzing traffic to identify network devices.	4
S0232	Skill in identifying intelligence gaps and limitations.	2
S0233	Skill in identifying language issues that may have an impact on organization objectives.	2
S0234	Skill in identifying leads for target development.	2
S0235	Skill in identifying non-target regional languages and dialects	2
S0236	Skill in identifying the devices that work at each level of protocol models.	3
S0237	Skill in identifying, locating, and tracking targets via geospatial analysis techniques	2
S0238	Skill in information prioritization as it relates to operations.	2
S0239	Skill in interpreting compiled and interpretive programming languages.	2
S0240	Skill in interpreting metadata and content as applied by collection systems.	2
S0241	Skill in interpreting traceroute results, as they apply to network analysis and reconstruction.	2
S0242	Skill in interpreting vulnerability scanner results to identify vulnerabilities.	2
S0243	Skill in knowledge management, including technical documentation techniques (e.g., Wiki page).	2
S0244	Skill in managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results.	3
S0248	Skill in performing target system analysis.	3
S0249	Skill in preparing and presenting briefings.	8
S0250	Skill in preparing plans and related correspondence.	5
S0251	Skill in prioritizing target language material.	2
S0252	Skill in processing collected data for follow-on analysis.	2
S0254	Skill in providing analysis to aid writing phased after action reports.	3
S0271	Skill in reviewing and editing assessment products.	3
S0273	Skill in reviewing and editing plans.	3
S0278	Skill in tailoring analysis to the necessary levels (e.g., classification and organizational).	6
S0279	Skill in target development in direct support of collection operations.	2
S0280	Skill in target network anomaly identification (e.g., intrusions, dataflow or processing, target implementation of new technologies).	2
S0281	Skill in technical writing.	3
S0296	Skill in utilizing feedback to improve processes, products, and services.	9
S0304	Skill to access information on current assets available, usage.	3
S0305	Skill to access the databases where plans/directives/guidance are maintained.	3
S0306	Skill to analyze strategic guidance for issues requiring clarification and/or additional guidance.	2
S0307	Skill to analyze target or threat sources of strength and morale.	2
S0325	Skill to develop a collection plan that clearly shows the discipline that can be used to collect the information needed.	2
S0329	Skill to evaluate requests for information to determine if response information exists.	2
S0332	Skill to extract information from available tools and applications associated with collection requirements and collection operations management.	2
S0367	Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	14
S0370	Skill to use cyber defense Service Provider reporting structure and processes within one’s own organization.	2
S0374	Skill to identify cybersecurity and privacy issues that stem from connections with internal and external customers and partner organizations.	3

Abilities 49

Code	Description	Work Roles
A0001	Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.	4
A0011	Ability to answer questions in a clear and concise manner.	2
A0012	Ability to ask clarifying questions.	3
A0013	Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.	14
A0014	Ability to communicate effectively when writing.	3
A0015	Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.	8
A0016	Ability to facilitate small group discussions.	2
A0018	Ability to prepare and present briefings.	4
A0019	Ability to produce technical documentation.	5
A0023	Ability to design valid and reliable assessments.	3
A0026	Ability to analyze test data.	3
A0030	Ability to collect, verify, and validate test data.	2
A0035	Ability to dissect a problem and examine the interrelationships between data that may appear unrelated.	2
A0036	Ability to identify basic common coding flaws at a high level.	2
A0040	Ability to translate data and test results into evaluative conclusions.	3
A0056	Ability to ensure security practices are followed throughout the acquisition process.	6
A0069	Ability to apply collaborative skills and strategies.	3
A0070	Ability to apply critical reading/thinking skills.	9
A0082	Ability to effectively collaborate via virtual teams.	7
A0083	Ability to evaluate information for reliability, validity, and relevance.	6
A0084	Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.	7
A0085	Ability to exercise judgment when policies are not well-defined.	9
A0086	Ability to expand network access by conducting target analysis and collection to identify targets of interest.	2
A0087	Ability to focus research efforts to meet the customer’s decision-making needs.	6
A0088	Ability to function effectively in a dynamic, fast-paced environment.	7
A0089	Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—to leverage analytical and technical expertise.	13
A0090	Ability to identify external partners with common cyber operations interests.	5
A0091	Ability to identify intelligence gaps.	6
A0092	Ability to identify/describe target vulnerability.	2
A0093	Ability to identify/describe techniques/methods for conducting technical exploitation of the target.	2
A0094	Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.	6
A0095	Ability to interpret and translate customer requirements into operational action.	2
A0096	Ability to interpret and understand complex and rapidly evolving concepts.	4
A0098	Ability to participate as a member of planning teams, coordination groups, and task forces as necessary.	5
A0101	Ability to recognize and mitigate cognitive biases which may affect analysis.	6
A0106	Ability to think critically.	9
A0108	Ability to understand objectives and effects.	4
A0109	Ability to utilize multiple intelligence sources across all intelligence disciplines.	6
A0117	Ability to relate strategy, business, and technology in the context of organizational dynamics.	3
A0118	Ability to understand technology, management, and leadership issues related to organization processes and problem solving.	5
A0119	Ability to understand the basic concepts and issues related to cyber and its organizational impact.	7
A0111	Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.	3
A0112	Ability to monitor advancements in information privacy technologies to ensure organizational adaptation and compliance.	4
A0114	Ability to develop or procure curriculum that speaks to the topic at the appropriate level for the target.	4
A0115	Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.	2
A0116	Ability to prioritize and allocate cybersecurity resources correctly and efficiently.	2
A0119	Ability to understand the basic concepts and issues related to cyber and its organizational impact.	7
A0123	Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	15
A0170	Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.	11

Tasks 21

Code	Description	Work Roles
T0264	Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.	3
T0265	Assure successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization's mission and goals.	2
T0268	Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment.	2
T0272	Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.	2
T0275	Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs).	2
T0277	Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.	6
T0309	Assess the effectiveness of security controls.	2
T0344	Assess all the configuration management (change configuration/release management) processes.	2
T0371	Establish acceptable limits for the software application, network, or system.	2
T0495	Manage Accreditation Packages (e.g., ISO/IEC 15026-2).	2
T0145	Manage and approve Accreditation Packages (e.g., ISO/IEC 15026-2).	2
T0177	Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.	3
T0178	Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.	2
T0181	Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.	5
T0184	Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.	1
T0205	Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).	6
T0221	Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.	2
T0243	Verify and update security documentation reflecting the application/system security design features.	2
T0244	Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.	1
T0251	Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).	1
T0255	Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk.	2