SP-SYS-002 Systems Developer
Conceptualizes, designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development.
Works on the development phases of the systems development life cycle.
Designs, develops, tests, and evaluates information systems throughout the systems development life cycle.
Knowledges 61
| Code | Description | Work Roles |
|---|---|---|
| K0001 | Knowledge of computer networking concepts and protocols, and network security methodologies. | 52 |
| K0002 | Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). | 52 |
| K0003 | Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. | 52 |
| K0004 | Knowledge of cybersecurity and privacy principles. | 52 |
| K0005 | Knowledge of cyber threats and vulnerabilities. | 52 |
| K0006 | Knowledge of specific operational impacts of cybersecurity lapses. | 52 |
| K0015 | Knowledge of computer algorithms. | 6 |
| K0018 | Knowledge of encryption algorithms | 11 |
| K0024 | Knowledge of database systems. | 7 |
| K0027 | Knowledge of organization's enterprise information security architecture. | 9 |
| K0028 | Knowledge of organization's evaluation and validation requirements. | 8 |
| K0030 | Knowledge of electrical engineering as applied to computer architecture (e.g., circuit boards, processors, chips, and computer hardware). | 4 |
| K0032 | Knowledge of resiliency and redundancy. | 3 |
| K0035 | Knowledge of installation, integration, and optimization of system components. | 6 |
| K0036 | Knowledge of human-computer interaction principles. | 12 |
| K0044 | Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). | 14 |
| K0045 | Knowledge of information security systems engineering principles (NIST SP 800-160). | 3 |
| K0049 | Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption). | 8 |
| K0050 | Knowledge of local area and wide area networking principles and concepts including bandwidth management. | 6 |
| K0052 | Knowledge of mathematics (e.g. logarithms, trigonometry, linear algebra, calculus, statistics, and operational analysis). | 6 |
| K0055 | Knowledge of microprocessors. | 4 |
| K0056 | Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML). | 11 |
| K0060 | Knowledge of operating systems. | 13 |
| K0061 | Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). | 11 |
| K0063 | Knowledge of parallel and distributed computing concepts. | 6 |
| K0065 | Knowledge of policy-based and risk adaptive access controls. | 5 |
| K0066 | Knowledge of Privacy Impact Assessments. | 6 |
| K0067 | Knowledge of process engineering concepts. | 3 |
| K0073 | Knowledge of secure configuration management techniques. (e.g., Security Technical Implementation Guides (STIGs), cybersecurity best practices on cisecurity.org). | 5 |
| K0081 | Knowledge of software development models (e.g., Waterfall Model, Spiral Model). | 4 |
| K0082 | Knowledge of software engineering. | 7 |
| K0084 | Knowledge of structured analysis principles and methods. | 6 |
| K0086 | Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools. | 5 |
| K0087 | Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design. | 4 |
| K0090 | Knowledge of system life cycle management principles, including software security and usability. | 10 |
| K0091 | Knowledge of systems testing and evaluation methods. | 6 |
| K0093 | Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link Budgeting, Spectral efficiency, Multiplexing). | 8 |
| K0102 | Knowledge of the systems engineering process. | 7 |
| K0126 | Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) | 14 |
| K0139 | Knowledge of interpreted and compiled computer languages. | 8 |
| K0169 | Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. | 14 |
| K0170 | Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations. | 12 |
| K0179 | Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). | 19 |
| K0180 | Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. | 9 |
| K0200 | Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]). | 11 |
| K0203 | Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). | 10 |
| K0207 | Knowledge of circuit analysis. | 2 |
| K0212 | Knowledge of cybersecurity-enabled software products. | 4 |
| K0227 | Knowledge of various types of computer architectures. | 4 |
| K0260 | Knowledge of Personally Identifiable Information (PII) data security standards. | 16 |
| K0261 | Knowledge of Payment Card Industry (PCI) data security standards. | 17 |
| K0262 | Knowledge of Personal Health Information (PHI) data security standards. | 17 |
| K0276 | Knowledge of security management. | 3 |
| K0287 | Knowledge of an organization's information classification program and procedures for information compromise. | 18 |
| K0297 | Knowledge of countermeasure design for identified security risks. | 4 |
| K0308 | Knowledge of cryptology. | 3 |
| K0322 | Knowledge of embedded systems. | 10 |
| K0325 | Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression). | 6 |
| K0332 | Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. | 14 |
| K0333 | Knowledge of network design processes, to include understanding of security objectives, operational objectives, and trade-offs. | 6 |
| K0336 | Knowledge of access authentication methods. | 3 |
Skills 16
| Code | Description | Work Roles |
|---|---|---|
| S0018 | Skill in creating policies that reflect system security objectives. | 3 |
| S0022 | Skill in designing countermeasures to identified security risks. | 5 |
| S0023 | Skill in designing security controls based on cybersecurity principles and tenets. | 2 |
| S0024 | Skill in designing the integration of hardware and software solutions. | 5 |
| S0025 | Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort). | 3 |
| S0031 | Skill in developing and applying security system access controls. | 5 |
| S0034 | Skill in discerning the protection needs (i.e., security controls) of information systems and networks. | 6 |
| S0036 | Skill in evaluating the adequacy of security designs. | 4 |
| S0060 | Skill in writing code in a currently supported programming language (e.g., Java, C++). | 7 |
| S0085 | Skill in conducting audits or reviews of technical systems. | 3 |
| S0097 | Skill in applying security controls. | 3 |
| S0136 | Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. | 2 |
| S0145 | Skill in integrating and applying policies that meet system security objectives. | 3 |
| S0146 | Skill in creating policies that enable systems to meet performance objectives (e.g. traffic routing, SLA's, CPU specifications). | 1 |
| S0160 | Skill in the use of design modeling (e.g., unified modeling language). | 3 |
| S0367 | Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). | 14 |
Abilities 2
| Code | Description | Work Roles |
|---|---|---|
| A0123 | Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). | 15 |
| A0170 | Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations. | 11 |
Tasks 36
| Code | Description | Work Roles |
|---|---|---|
| T0558 | Analyze user needs and requirements to plan and conduct system development. | 1 |
| T0559 | Develop designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations. | 1 |
| T0560 | Collaborate on cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information). | 1 |
| T0304 | Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment. | 2 |
| T0326 | Employ configuration management processes. | 2 |
| T0350 | Conduct a market analysis to identify, assess, and recommend commercial, Government off-the-shelf, and open source products for use within a system and ensure recommended products are in compliance with organization's evaluation and validation requirements. | 1 |
| T0358 | Design and develop system administration and management functionality for privileged access users. | 1 |
| T0359 | Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies. | 2 |
| T0378 | Incorporates risk-driven systems maintenance updates process to address system deficiencies (periodically and out of cycle). | 1 |
| T0406 | Ensure that design and development activities are properly documented (providing a functional description of implementation) and updated as necessary. | 1 |
| T0447 | Design hardware, operating systems, and software applications to adequately address requirements. | 1 |
| T0449 | Design to security requirements to ensure requirements are met for all systems and/or applications. | 2 |
| T0464 | Develop detailed design documentation for component and interface specifications to support system design and development. | 1 |
| T0466 | Develop mitigation strategies to address cost, schedule, performance, and security risks. | 2 |
| T0480 | Identify components or elements, allocate comprehensive functional components to include security functions, and describe the relationships between the elements. | 1 |
| T0488 | Implement designs for new or existing system(s). | 1 |
| T0518 | Perform security reviews and identify security gaps in architecture. | 2 |
| T0528 | Provide input to implementation plans, standard operating procedures, maintenance documentation, and maintenance training materials | 1 |
| T0538 | Provide support to test and evaluation activities. | 1 |
| T0541 | Trace system requirements to design components and perform gap analysis. | 2 |
| T0544 | Verify stability, interoperability, portability, and/or scalability of system architecture. | 2 |
| T0012 | Analyze design constraints, analyze trade-offs and detailed system and security design, and consider life cycle support. | 2 |
| T0021 | Build, test, and modify product prototypes using working models or theoretical models. | 2 |
| T0053 | Design and develop cybersecurity or cybersecurity-enabled products. | 2 |
| T0056 | Design or integrate appropriate data backup capabilities into overall system designs, and ensure that appropriate technical and procedural processes exist for secure system backups and protected storage of backup data. | 2 |
| T0061 | Develop and direct system testing and validation procedures and documentation. | 2 |
| T0067 | Develop architectures or system components consistent with technical specifications. | 1 |
| T0070 | Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment. | 2 |
| T0107 | Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable). | 2 |
| T0109 | Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability. | 2 |
| T0119 | Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure that recommended products are in compliance with organization's evaluation and validation requirements. | 2 |
| T0181 | Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change. | 5 |
| T0201 | Provide guidelines for implementing developed systems to customers or installation teams. | 2 |
| T0205 | Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). | 6 |
| T0228 | Store, retrieve, and manipulate data for analysis of system capabilities and requirements. | 4 |
| T0242 | Utilize models and simulations to analyze or predict system performance under different operating conditions. | 2 |