SP-RSK-002 Security Control Assessor

Conceptualizes, designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development.

Oversees, evaluates, and supports the documentation, validation, assessment, and authorization processes necessary to assure that existing and new information technology (IT) systems meet the organization's cybersecurity and risk requirements. Ensures appropriate treatment of risk, compliance, and assurance from internal and external perspectives.

Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).

Knowledges 53

Code Description Work Roles
K0001 Knowledge of computer networking concepts and protocols, and network security methodologies. 52
K0002 Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 52
K0003 Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 52
K0004 Knowledge of cybersecurity and privacy principles. 52
K0005 Knowledge of cyber threats and vulnerabilities. 52
K0006 Knowledge of specific operational impacts of cybersecurity lapses. 52
K0007 Knowledge of authentication, authorization, and access control methods. 4
K0008 Knowledge of applicable business processes and operations of customer organizations. 5
K0009 Knowledge of application vulnerabilities. 6
K0010 Knowledge of communication methods, principles, and concepts that support the network infrastructure. 3
K0011 Knowledge of capabilities and applications of network equipment including routers, switches, bridges, servers, transmission media, and related hardware. 3
K0013 Knowledge of cyber defense and vulnerability assessment tools and their capabilities. 5
K0018 Knowledge of encryption algorithms 11
K0019 Knowledge of cryptography and cryptographic key management concepts 8
K0018 Knowledge of encryption algorithms 11
K0021 Knowledge of data backup and recovery. 9
K0024 Knowledge of database systems. 7
K0026 Knowledge of business continuity and disaster recovery continuity of operations plans. 5
K0027 Knowledge of organization's enterprise information security architecture. 9
K0028 Knowledge of organization's evaluation and validation requirements. 8
K0029 Knowledge of organization's Local and Wide Area Network connections. 2
K0037 Knowledge of Security Assessment and Authorization process. 5
K0038 Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data. 6
K0040 Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins). 5
K0044 Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 14
K0048 Knowledge of Risk Management Framework (RMF) requirements. 8
K0049 Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). 8
K0054 Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities. 3
K0056 Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML). 11
K0059 Knowledge of new and emerging information technology (IT) and cybersecurity technologies. 12
K0070 Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code). 13
K0084 Knowledge of structured analysis principles and methods. 6
K0089 Knowledge of systems diagnostic tools and fault identification techniques. 3
K0098 Knowledge of the cyber defense Service Provider reporting structure and processes within one’s own organization. 2
K0100 Knowledge of the enterprise information technology (IT) architecture. 2
K0101 Knowledge of the organization’s enterprise information technology (IT) goals and objectives. 8
K0126 Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) 14
K0146 Knowledge of the organization's core business/mission processes. 10
K0168 Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures. 11
K0169 Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. 14
K0170 Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations. 12
K0179 Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). 19
K0199 Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]). 6
K0203 Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). 10
K0260 Knowledge of Personally Identifiable Information (PII) data security standards. 16
K0261 Knowledge of Payment Card Industry (PCI) data security standards. 17
K0262 Knowledge of Personal Health Information (PHI) data security standards. 17
K0267 Knowledge of laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures. 8
K0287 Knowledge of an organization's information classification program and procedures for information compromise. 18
K0322 Knowledge of embedded systems. 10
K0342 Knowledge of penetration testing principles, tools, and techniques. 8
K0622 Knowledge of controls related to the use, processing, storage, and transmission of data. 6
K0624 Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list) 13

Skills 68

Code Description Work Roles
S0001 Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems. 6
S0006 Skill in applying confidentiality, integrity, and availability principles. 3
S0027 Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. 7
S0034 Skill in discerning the protection needs (i.e., security controls) of information systems and networks. 6
S0038 Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system. 5
S0073 Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.). 5
S0078 Skill in recognizing and categorizing types of vulnerabilities and associated attacks. 3
S0097 Skill in applying security controls. 3
S0100 Skill in utilizing or developing learning activities (e.g., scenarios, instructional games, interactive exercises). 2
S0110 Skill in identifying Test & Evaluation infrastructure (people, ranges, tools, instrumentation) requirements. 2
S0111 Skill in interfacing with customers. 2
S0112 Skill in managing test assets, test resources, and test personnel to ensure effective completion of test events. 2
S0115 Skill in preparing Test & Evaluation reports. 2
S0120 Skill in reviewing logs to identify evidence of past intrusions. 2
S0124 Skill in troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution. 2
S0128 Skill in using manpower and personnel IT systems. 2
S0134 Skill in conducting reviews of systems. 2
S0135 Skill in secure test plan design (e. g. unit, integration, system, acceptance). 3
S0136 Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. 2
S0137 Skill in conducting application vulnerability assessments. 2
S0138 Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic). 5
S0141 Skill in assessing security systems designs. 2
S0145 Skill in integrating and applying policies that meet system security objectives. 3
S0147 Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.). 3
S0171 Skill in performing impact/risk assessments. 2
S0172 Skill in applying secure coding techniques. 2
S0173 Skill in using security event correlation tools. 2
S0174 Skill in using code analysis tools. 3
S0175 Skill in performing root cause analysis. 3
S0176 Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures. 4
S0177 Skill in analyzing a target's communication networks. 2
S0184 Skill in analyzing traffic to identify network devices. 4
S0232 Skill in identifying intelligence gaps and limitations. 2
S0233 Skill in identifying language issues that may have an impact on organization objectives. 2
S0234 Skill in identifying leads for target development. 2
S0235 Skill in identifying non-target regional languages and dialects 2
S0236 Skill in identifying the devices that work at each level of protocol models. 3
S0237 Skill in identifying, locating, and tracking targets via geospatial analysis techniques 2
S0238 Skill in information prioritization as it relates to operations. 2
S0239 Skill in interpreting compiled and interpretive programming languages. 2
S0240 Skill in interpreting metadata and content as applied by collection systems. 2
S0241 Skill in interpreting traceroute results, as they apply to network analysis and reconstruction. 2
S0242 Skill in interpreting vulnerability scanner results to identify vulnerabilities. 2
S0243 Skill in knowledge management, including technical documentation techniques (e.g., Wiki page). 2
S0244 Skill in managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results. 3
S0248 Skill in performing target system analysis. 3
S0249 Skill in preparing and presenting briefings. 8
S0250 Skill in preparing plans and related correspondence. 5
S0251 Skill in prioritizing target language material. 2
S0252 Skill in processing collected data for follow-on analysis. 2
S0254 Skill in providing analysis to aid writing phased after action reports. 3
S0271 Skill in reviewing and editing assessment products. 3
S0273 Skill in reviewing and editing plans. 3
S0278 Skill in tailoring analysis to the necessary levels (e.g., classification and organizational). 6
S0279 Skill in target development in direct support of collection operations. 2
S0280 Skill in target network anomaly identification (e.g., intrusions, dataflow or processing, target implementation of new technologies). 2
S0281 Skill in technical writing. 3
S0296 Skill in utilizing feedback to improve processes, products, and services. 9
S0304 Skill to access information on current assets available, usage. 3
S0305 Skill to access the databases where plans/directives/guidance are maintained. 3
S0306 Skill to analyze strategic guidance for issues requiring clarification and/or additional guidance. 2
S0307 Skill to analyze target or threat sources of strength and morale. 2
S0325 Skill to develop a collection plan that clearly shows the discipline that can be used to collect the information needed. 2
S0329 Skill to evaluate requests for information to determine if response information exists. 2
S0332 Skill to extract information from available tools and applications associated with collection requirements and collection operations management. 2
S0367 Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 14
S0370 Skill to use cyber defense Service Provider reporting structure and processes within one’s own organization. 2
S0374 Skill to identify cybersecurity and privacy issues that stem from connections with internal and external customers and partner organizations. 3

Abilities 49

Code Description Work Roles
A0001 Ability to identify systemic security issues based on the analysis of vulnerability and configuration data. 4
A0011 Ability to answer questions in a clear and concise manner. 2
A0012 Ability to ask clarifying questions. 3
A0013 Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means. 14
A0014 Ability to communicate effectively when writing. 3
A0015 Ability to conduct vulnerability scans and recognize vulnerabilities in security systems. 8
A0016 Ability to facilitate small group discussions. 2
A0018 Ability to prepare and present briefings. 4
A0019 Ability to produce technical documentation. 5
A0023 Ability to design valid and reliable assessments. 3
A0026 Ability to analyze test data. 3
A0030 Ability to collect, verify, and validate test data. 2
A0035 Ability to dissect a problem and examine the interrelationships between data that may appear unrelated. 2
A0036 Ability to identify basic common coding flaws at a high level. 2
A0040 Ability to translate data and test results into evaluative conclusions. 3
A0056 Ability to ensure security practices are followed throughout the acquisition process. 6
A0069 Ability to apply collaborative skills and strategies. 3
A0070 Ability to apply critical reading/thinking skills. 9
A0082 Ability to effectively collaborate via virtual teams. 7
A0083 Ability to evaluate information for reliability, validity, and relevance. 6
A0084 Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products. 7
A0085 Ability to exercise judgment when policies are not well-defined. 9
A0086 Ability to expand network access by conducting target analysis and collection to identify targets of interest. 2
A0087 Ability to focus research efforts to meet the customer’s decision-making needs. 6
A0088 Ability to function effectively in a dynamic, fast-paced environment. 7
A0089 Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—to leverage analytical and technical expertise. 13
A0090 Ability to identify external partners with common cyber operations interests. 5
A0091 Ability to identify intelligence gaps. 6
A0092 Ability to identify/describe target vulnerability. 2
A0093 Ability to identify/describe techniques/methods for conducting technical exploitation of the target. 2
A0094 Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives. 6
A0095 Ability to interpret and translate customer requirements into operational action. 2
A0096 Ability to interpret and understand complex and rapidly evolving concepts. 4
A0098 Ability to participate as a member of planning teams, coordination groups, and task forces as necessary. 5
A0101 Ability to recognize and mitigate cognitive biases which may affect analysis. 6
A0106 Ability to think critically. 9
A0108 Ability to understand objectives and effects. 4
A0109 Ability to utilize multiple intelligence sources across all intelligence disciplines. 6
A0117 Ability to relate strategy, business, and technology in the context of organizational dynamics. 3
A0118 Ability to understand technology, management, and leadership issues related to organization processes and problem solving. 5
A0119 Ability to understand the basic concepts and issues related to cyber and its organizational impact. 7
A0111 Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives. 3
A0112 Ability to monitor advancements in information privacy technologies to ensure organizational adaptation and compliance. 4
A0114 Ability to develop or procure curriculum that speaks to the topic at the appropriate level for the target. 4
A0115 Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives. 2
A0116 Ability to prioritize and allocate cybersecurity resources correctly and efficiently. 2
A0119 Ability to understand the basic concepts and issues related to cyber and its organizational impact. 7
A0123 Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 15
A0170 Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations. 11

Tasks 21

Code Description Work Roles
T0264 Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc. 3
T0265 Assure successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization's mission and goals. 2
T0268 Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment. 2
T0272 Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary. 2
T0275 Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs). 2
T0277 Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals. 6
T0309 Assess the effectiveness of security controls. 2
T0344 Assess all the configuration management (change configuration/release management) processes. 2
T0371 Establish acceptable limits for the software application, network, or system. 2
T0495 Manage Accreditation Packages (e.g., ISO/IEC 15026-2). 2
T0145 Manage and approve Accreditation Packages (e.g., ISO/IEC 15026-2). 2
T0177 Perform security reviews, identify gaps in security architecture, and develop a security risk management plan. 3
T0178 Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy. 2
T0181 Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. 5
T0184 Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks. 1
T0205 Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). 6
T0221 Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network. 2
T0243 Verify and update security documentation reflecting the application/system security design features. 2
T0244 Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations. 1
T0251 Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers). 1
T0255 Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk. 2