SP-SYS-001 Information Systems Security Developer

Conceptualizes, designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development.

Works on the development phases of the systems development life cycle.

Designs, develops, tests, and evaluates information system security throughout the systems development life cycle.

Knowledges 58

Code Description Work Roles
K0001 Knowledge of computer networking concepts and protocols, and network security methodologies. 52
K0002 Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 52
K0003 Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 52
K0004 Knowledge of cybersecurity and privacy principles. 52
K0005 Knowledge of cyber threats and vulnerabilities. 52
K0006 Knowledge of specific operational impacts of cybersecurity lapses. 52
K0015 Knowledge of computer algorithms. 6
K0018 Knowledge of encryption algorithms 11
K0024 Knowledge of database systems. 7
K0027 Knowledge of organization's enterprise information security architecture. 9
K0028 Knowledge of organization's evaluation and validation requirements. 8
K0030 Knowledge of electrical engineering as applied to computer architecture (e.g., circuit boards, processors, chips, and computer hardware). 4
K0032 Knowledge of resiliency and redundancy. 3
K0035 Knowledge of installation, integration, and optimization of system components. 6
K0036 Knowledge of human-computer interaction principles. 12
K0044 Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 14
K0045 Knowledge of information security systems engineering principles (NIST SP 800-160). 3
K0049 Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). 8
K0050 Knowledge of local area and wide area networking principles and concepts including bandwidth management. 6
K0052 Knowledge of mathematics (e.g. logarithms, trigonometry, linear algebra, calculus, statistics, and operational analysis). 6
K0055 Knowledge of microprocessors. 4
K0056 Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML). 11
K0060 Knowledge of operating systems. 13
K0061 Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). 11
K0063 Knowledge of parallel and distributed computing concepts. 6
K0065 Knowledge of policy-based and risk adaptive access controls. 5
K0066 Knowledge of Privacy Impact Assessments. 6
K0067 Knowledge of process engineering concepts. 3
K0073 Knowledge of secure configuration management techniques. (e.g., Security Technical Implementation Guides (STIGs), cybersecurity best practices on cisecurity.org). 5
K0081 Knowledge of software development models (e.g., Waterfall Model, Spiral Model). 4
K0082 Knowledge of software engineering. 7
K0084 Knowledge of structured analysis principles and methods. 6
K0086 Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools. 5
K0087 Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design. 4
K0090 Knowledge of system life cycle management principles, including software security and usability. 10
K0091 Knowledge of systems testing and evaluation methods. 6
K0093 Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link Budgeting, Spectral efficiency, Multiplexing). 8
K0102 Knowledge of the systems engineering process. 7
K0126 Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) 14
K0139 Knowledge of interpreted and compiled computer languages. 8
K0169 Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. 14
K0170 Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations. 12
K0179 Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). 19
K0180 Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. 9
K0200 Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]). 11
K0203 Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). 10
K0260 Knowledge of Personally Identifiable Information (PII) data security standards. 16
K0261 Knowledge of Payment Card Industry (PCI) data security standards. 17
K0262 Knowledge of Personal Health Information (PHI) data security standards. 17
K0276 Knowledge of security management. 3
K0287 Knowledge of an organization's information classification program and procedures for information compromise. 18
K0297 Knowledge of countermeasure design for identified security risks. 4
K0308 Knowledge of cryptology. 3
K0322 Knowledge of embedded systems. 10
K0325 Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression). 6
K0332 Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. 14
K0333 Knowledge of network design processes, to include understanding of security objectives, operational objectives, and trade-offs. 6
K0336 Knowledge of access authentication methods. 3

Skills 11

Code Description Work Roles
S0001 Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems. 6
S0022 Skill in designing countermeasures to identified security risks. 5
S0023 Skill in designing security controls based on cybersecurity principles and tenets. 2
S0024 Skill in designing the integration of hardware and software solutions. 5
S0031 Skill in developing and applying security system access controls. 5
S0034 Skill in discerning the protection needs (i.e., security controls) of information systems and networks. 6
S0036 Skill in evaluating the adequacy of security designs. 4
S0085 Skill in conducting audits or reviews of technical systems. 3
S0145 Skill in integrating and applying policies that meet system security objectives. 3
S0160 Skill in the use of design modeling (e.g., unified modeling language). 3
S0367 Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 14

Abilities 20

Code Description Work Roles
A0001 Ability to identify systemic security issues based on the analysis of vulnerability and configuration data. 4
A0008 Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization's enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]). 3
A0012 Ability to ask clarifying questions. 3
A0013 Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means. 14
A0015 Ability to conduct vulnerability scans and recognize vulnerabilities in security systems. 8
A0019 Ability to produce technical documentation. 5
A0026 Ability to analyze test data. 3
A0040 Ability to translate data and test results into evaluative conclusions. 3
A0048 Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). 2
A0049 Ability to apply secure system design tools, methods and techniques. 2
A0050 Ability to apply system design tools, methods, and techniques, including automated systems analysis and design tools. 2
A0056 Ability to ensure security practices are followed throughout the acquisition process. 6
A0061 Ability to design architectures and frameworks. 2
A0074 Ability to collaborate effectively with others. 6
A0089 Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts—both internal and external to the organization—to leverage analytical and technical expertise. 13
A0098 Ability to participate as a member of planning teams, coordination groups, and task forces as necessary. 5
A0108 Ability to understand objectives and effects. 4
A0119 Ability to understand the basic concepts and issues related to cyber and its organizational impact. 7
A0123 Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). 15
A0170 Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations. 11

Tasks 41

Code Description Work Roles
T0269 Design and develop key management functions (as related to cybersecurity). 1
T0270 Analyze user needs and requirements to plan and conduct system security development. 1
T0271 Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information). 1
T0272 Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary. 2
T0304 Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment. 2
T0326 Employ configuration management processes. 2
T0359 Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies. 2
T0446 Design, develop, integrate, and update system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation. 1
T0449 Design to security requirements to ensure requirements are met for all systems and/or applications. 2
T0466 Develop mitigation strategies to address cost, schedule, performance, and security risks. 2
T0509 Perform an information security risk assessment. 2
T0518 Perform security reviews and identify security gaps in architecture. 2
T0527 Provide input to implementation plans and standard operating procedures as they relate to information systems security. 1
T0541 Trace system requirements to design components and perform gap analysis. 2
T0544 Verify stability, interoperability, portability, and/or scalability of system architecture. 2
T0012 Analyze design constraints, analyze trade-offs and detailed system and security design, and consider life cycle support. 2
T0015 Apply security policies to applications that interface with one another, such as Business-to-Business (B2B) applications. 2
T0018 Assess the effectiveness of cybersecurity measures utilized by system(s). 1
T0019 Assess threats to and vulnerabilities of computer system(s) to develop a security risk profile. 1
T0021 Build, test, and modify product prototypes using working models or theoretical models. 2
T0032 Conduct Privacy Impact Assessments (PIAs) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII). 2
T0053 Design and develop cybersecurity or cybersecurity-enabled products. 2
T0055 Design hardware, operating systems, and software applications to adequately address cybersecurity requirements. 1
T0056 Design or integrate appropriate data backup capabilities into overall system designs, and ensure that appropriate technical and procedural processes exist for secure system backups and protected storage of backup data. 2
T0061 Develop and direct system testing and validation procedures and documentation. 2
T0069 Develop detailed security design documentation for component and interface specifications to support system design and development. 1
T0070 Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment. 2
T0076 Develop risk mitigation strategies to resolve vulnerabilities and recommend security changes to system or system components as needed. 1
T0078 Develop specific cybersecurity countermeasures and risk mitigation strategies for systems and/or applications. 1
T0105 Identify components or elements, allocate security functions to those elements, and describe the relationships between the elements. 1
T0107 Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable). 2
T0109 Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability. 2
T0119 Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure that recommended products are in compliance with organization's evaluation and validation requirements. 2
T0122 Implement security designs for new or existing system(s). 1
T0124 Incorporate cybersecurity vulnerability solutions into system designs (e.g., Cybersecurity Vulnerability Alerts). 1
T0181 Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. 5
T0201 Provide guidelines for implementing developed systems to customers or installation teams. 2
T0205 Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). 6
T0228 Store, retrieve, and manipulate data for analysis of system capabilities and requirements. 4
T0231 Provide support to security/certification test and evaluation activities. 1
T0242 Utilize models and simulations to analyze or predict system performance under different operating conditions. 2