SP-SYS-001 Information Systems Security Developer
Conceptualizes, designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development.
Works on the development phases of the systems development life cycle.
Designs, develops, tests, and evaluates information system security throughout the systems development life cycle.
Knowledges 58
| Code | Description | Work Roles |
|---|---|---|
| K0001 | Knowledge of computer networking concepts and protocols, and network security methodologies. | 52 |
| K0002 | Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). | 52 |
| K0003 | Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. | 52 |
| K0004 | Knowledge of cybersecurity and privacy principles. | 52 |
| K0005 | Knowledge of cyber threats and vulnerabilities. | 52 |
| K0006 | Knowledge of specific operational impacts of cybersecurity lapses. | 52 |
| K0015 | Knowledge of computer algorithms. | 6 |
| K0018 | Knowledge of encryption algorithms | 11 |
| K0024 | Knowledge of database systems. | 7 |
| K0027 | Knowledge of organization's enterprise information security architecture. | 9 |
| K0028 | Knowledge of organization's evaluation and validation requirements. | 8 |
| K0030 | Knowledge of electrical engineering as applied to computer architecture (e.g., circuit boards, processors, chips, and computer hardware). | 4 |
| K0032 | Knowledge of resiliency and redundancy. | 3 |
| K0035 | Knowledge of installation, integration, and optimization of system components. | 6 |
| K0036 | Knowledge of human-computer interaction principles. | 12 |
| K0044 | Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). | 14 |
| K0045 | Knowledge of information security systems engineering principles (NIST SP 800-160). | 3 |
| K0049 | Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). | 8 |
| K0050 | Knowledge of local area and wide area networking principles and concepts including bandwidth management. | 6 |
| K0052 | Knowledge of mathematics (e.g. logarithms, trigonometry, linear algebra, calculus, statistics, and operational analysis). | 6 |
| K0055 | Knowledge of microprocessors. | 4 |
| K0056 | Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML). | 11 |
| K0060 | Knowledge of operating systems. | 13 |
| K0061 | Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). | 11 |
| K0063 | Knowledge of parallel and distributed computing concepts. | 6 |
| K0065 | Knowledge of policy-based and risk adaptive access controls. | 5 |
| K0066 | Knowledge of Privacy Impact Assessments. | 6 |
| K0067 | Knowledge of process engineering concepts. | 3 |
| K0073 | Knowledge of secure configuration management techniques. (e.g., Security Technical Implementation Guides (STIGs), cybersecurity best practices on cisecurity.org). | 5 |
| K0081 | Knowledge of software development models (e.g., Waterfall Model, Spiral Model). | 4 |
| K0082 | Knowledge of software engineering. | 7 |
| K0084 | Knowledge of structured analysis principles and methods. | 6 |
| K0086 | Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools. | 5 |
| K0087 | Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design. | 4 |
| K0090 | Knowledge of system life cycle management principles, including software security and usability. | 10 |
| K0091 | Knowledge of systems testing and evaluation methods. | 6 |
| K0093 | Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link Budgeting, Spectral efficiency, Multiplexing). | 8 |
| K0102 | Knowledge of the systems engineering process. | 7 |
| K0126 | Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) | 14 |
| K0139 | Knowledge of interpreted and compiled computer languages. | 8 |
| K0169 | Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. | 14 |
| K0170 | Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations. | 12 |
| K0179 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). | 19 |
| K0180 | Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. | 9 |
| K0200 | Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]). | 11 |
| K0203 | Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). | 10 |
| K0260 | Knowledge of Personally Identifiable Information (PII) data security standards. | 16 |
| K0261 | Knowledge of Payment Card Industry (PCI) data security standards. | 17 |
| K0262 | Knowledge of Personal Health Information (PHI) data security standards. | 17 |
| K0276 | Knowledge of security management. | 3 |
| K0287 | Knowledge of an organization's information classification program and procedures for information compromise. | 18 |
| K0297 | Knowledge of countermeasure design for identified security risks. | 4 |
| K0308 | Knowledge of cryptology. | 3 |
| K0322 | Knowledge of embedded systems. | 10 |
| K0325 | Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression). | 6 |
| K0332 | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. | 14 |
| K0333 | Knowledge of network design processes, to include understanding of security objectives, operational objectives, and trade-offs. | 6 |
| K0336 | Knowledge of access authentication methods. | 3 |
Skills 11
| Code | Description | Work Roles |
|---|---|---|
| S0001 | Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems. | 6 |
| S0022 | Skill in designing countermeasures to identified security risks. | 5 |
| S0023 | Skill in designing security controls based on cybersecurity principles and tenets. | 2 |
| S0024 | Skill in designing the integration of hardware and software solutions. | 5 |
| S0031 | Skill in developing and applying security system access controls. | 5 |
| S0034 | Skill in discerning the protection needs (i.e., security controls) of information systems and networks. | 6 |
| S0036 | Skill in evaluating the adequacy of security designs. | 4 |
| S0085 | Skill in conducting audits or reviews of technical systems. | 3 |
| S0145 | Skill in integrating and applying policies that meet system security objectives. | 3 |
| S0160 | Skill in the use of design modeling (e.g., unified modeling language). | 3 |
| S0367 | Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). | 14 |
Abilities 20
| Code | Description | Work Roles |
|---|---|---|
| A0001 | Ability to identify systemic security issues based on the analysis of vulnerability and configuration data. | 4 |
| A0008 | Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization's enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]). | 3 |
| A0012 | Ability to ask clarifying questions. | 3 |
| A0013 | Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means. | 14 |
| A0015 | Ability to conduct vulnerability scans and recognize vulnerabilities in security systems. | 8 |
| A0019 | Ability to produce technical documentation. | 5 |
| A0026 | Ability to analyze test data. | 3 |
| A0040 | Ability to translate data and test results into evaluative conclusions. | 3 |
| A0048 | Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). | 2 |
| A0049 | Ability to apply secure system design tools, methods and techniques. | 2 |
| A0050 | Ability to apply system design tools, methods, and techniques, including automated systems analysis and design tools. | 2 |
| A0056 | Ability to ensure security practices are followed throughout the acquisition process. | 6 |
| A0061 | Ability to design architectures and frameworks. | 2 |
| A0074 | Ability to collaborate effectively with others. | 6 |
| A0089 | Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—to leverage analytical and technical expertise. | 13 |
| A0098 | Ability to participate as a member of planning teams, coordination groups, and task forces as necessary. | 5 |
| A0108 | Ability to understand objectives and effects. | 4 |
| A0119 | Ability to understand the basic concepts and issues related to cyber and its organizational impact. | 7 |
| A0123 | Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). | 15 |
| A0170 | Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations. | 11 |
Tasks 41
| Code | Description | Work Roles |
|---|---|---|
| T0269 | Design and develop key management functions (as related to cybersecurity). | 1 |
| T0270 | Analyze user needs and requirements to plan and conduct system security development. | 1 |
| T0271 | Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information). | 1 |
| T0272 | Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary. | 2 |
| T0304 | Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment. | 2 |
| T0326 | Employ configuration management processes. | 2 |
| T0359 | Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies. | 2 |
| T0446 | Design, develop, integrate, and update system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation. | 1 |
| T0449 | Design to security requirements to ensure requirements are met for all systems and/or applications. | 2 |
| T0466 | Develop mitigation strategies to address cost, schedule, performance, and security risks. | 2 |
| T0509 | Perform an information security risk assessment. | 2 |
| T0518 | Perform security reviews and identify security gaps in architecture. | 2 |
| T0527 | Provide input to implementation plans and standard operating procedures as they relate to information systems security. | 1 |
| T0541 | Trace system requirements to design components and perform gap analysis. | 2 |
| T0544 | Verify stability, interoperability, portability, and/or scalability of system architecture. | 2 |
| T0012 | Analyze design constraints, analyze trade-offs and detailed system and security design, and consider life cycle support. | 2 |
| T0015 | Apply security policies to applications that interface with one another, such as Business-to-Business (B2B) applications. | 2 |
| T0018 | Assess the effectiveness of cybersecurity measures utilized by system(s). | 1 |
| T0019 | Assess threats to and vulnerabilities of computer system(s) to develop a security risk profile. | 1 |
| T0021 | Build, test, and modify product prototypes using working models or theoretical models. | 2 |
| T0032 | Conduct Privacy Impact Assessments (PIAs) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII). | 2 |
| T0053 | Design and develop cybersecurity or cybersecurity-enabled products. | 2 |
| T0055 | Design hardware, operating systems, and software applications to adequately address cybersecurity requirements. | 1 |
| T0056 | Design or integrate appropriate data backup capabilities into overall system designs, and ensure that appropriate technical and procedural processes exist for secure system backups and protected storage of backup data. | 2 |
| T0061 | Develop and direct system testing and validation procedures and documentation. | 2 |
| T0069 | Develop detailed security design documentation for component and interface specifications to support system design and development. | 1 |
| T0070 | Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment. | 2 |
| T0076 | Develop risk mitigation strategies to resolve vulnerabilities and recommend security changes to system or system components as needed. | 1 |
| T0078 | Develop specific cybersecurity countermeasures and risk mitigation strategies for systems and/or applications. | 1 |
| T0105 | Identify components or elements, allocate security functions to those elements, and describe the relationships between the elements. | 1 |
| T0107 | Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable). | 2 |
| T0109 | Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability. | 2 |
| T0119 | Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure that recommended products are in compliance with organization's evaluation and validation requirements. | 2 |
| T0122 | Implement security designs for new or existing system(s). | 1 |
| T0124 | Incorporate cybersecurity vulnerability solutions into system designs (e.g., Cybersecurity Vulnerability Alerts). | 1 |
| T0181 | Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. | 5 |
| T0201 | Provide guidelines for implementing developed systems to customers or installation teams. | 2 |
| T0205 | Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). | 6 |
| T0228 | Store, retrieve, and manipulate data for analysis of system capabilities and requirements. | 4 |
| T0231 | Provide support to security/certification test and evaluation activities. | 1 |
| T0242 | Utilize models and simulations to analyze or predict system performance under different operating conditions. | 2 |