SP-SYS-002 Systems Developer

Conceptualizes, designs, procures, and/or builds secure information technology (IT) systems, with responsibility for aspects of system and/or network development.

Works on the development phases of the systems development life cycle.

Designs, develops, tests, and evaluates information systems throughout the systems development life cycle.

Knowledges 61

Code	Description	Work Roles
K0001	Knowledge of computer networking concepts and protocols, and network security methodologies.	52
K0002	Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).	52
K0003	Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.	52
K0004	Knowledge of cybersecurity and privacy principles.	52
K0005	Knowledge of cyber threats and vulnerabilities.	52
K0006	Knowledge of specific operational impacts of cybersecurity lapses.	52
K0015	Knowledge of computer algorithms.	6
K0018	Knowledge of encryption algorithms	11
K0024	Knowledge of database systems.	7
K0027	Knowledge of organization's enterprise information security architecture.	9
K0028	Knowledge of organization's evaluation and validation requirements.	8
K0030	Knowledge of electrical engineering as applied to computer architecture (e.g., circuit boards, processors, chips, and computer hardware).	4
K0032	Knowledge of resiliency and redundancy.	3
K0035	Knowledge of installation, integration, and optimization of system components.	6
K0036	Knowledge of human-computer interaction principles.	12
K0044	Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	14
K0045	Knowledge of information security systems engineering principles (NIST SP 800-160).	3
K0049	Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).	8
K0050	Knowledge of local area and wide area networking principles and concepts including bandwidth management.	6
K0052	Knowledge of mathematics (e.g. logarithms, trigonometry, linear algebra, calculus, statistics, and operational analysis).	6
K0055	Knowledge of microprocessors.	4
K0056	Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).	11
K0060	Knowledge of operating systems.	13
K0061	Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).	11
K0063	Knowledge of parallel and distributed computing concepts.	6
K0065	Knowledge of policy-based and risk adaptive access controls.	5
K0066	Knowledge of Privacy Impact Assessments.	6
K0067	Knowledge of process engineering concepts.	3
K0073	Knowledge of secure configuration management techniques. (e.g., Security Technical Implementation Guides (STIGs), cybersecurity best practices on cisecurity.org).	5
K0081	Knowledge of software development models (e.g., Waterfall Model, Spiral Model).	4
K0082	Knowledge of software engineering.	7
K0084	Knowledge of structured analysis principles and methods.	6
K0086	Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.	5
K0087	Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design.	4
K0090	Knowledge of system life cycle management principles, including software security and usability.	10
K0091	Knowledge of systems testing and evaluation methods.	6
K0093	Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link Budgeting, Spectral efficiency, Multiplexing).	8
K0102	Knowledge of the systems engineering process.	7
K0126	Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161)	14
K0139	Knowledge of interpreted and compiled computer languages.	8
K0169	Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures.	14
K0170	Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations.	12
K0179	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).	19
K0180	Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.	9
K0200	Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).	11
K0203	Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).	10
K0207	Knowledge of circuit analysis.	2
K0212	Knowledge of cybersecurity-enabled software products.	4
K0227	Knowledge of various types of computer architectures.	4
K0260	Knowledge of Personally Identifiable Information (PII) data security standards.	16
K0261	Knowledge of Payment Card Industry (PCI) data security standards.	17
K0262	Knowledge of Personal Health Information (PHI) data security standards.	17
K0276	Knowledge of security management.	3
K0287	Knowledge of an organization's information classification program and procedures for information compromise.	18
K0297	Knowledge of countermeasure design for identified security risks.	4
K0308	Knowledge of cryptology.	3
K0322	Knowledge of embedded systems.	10
K0325	Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).	6
K0332	Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.	14
K0333	Knowledge of network design processes, to include understanding of security objectives, operational objectives, and trade-offs.	6
K0336	Knowledge of access authentication methods.	3

Skills 16

Code	Description	Work Roles
S0018	Skill in creating policies that reflect system security objectives.	3
S0022	Skill in designing countermeasures to identified security risks.	5
S0023	Skill in designing security controls based on cybersecurity principles and tenets.	2
S0024	Skill in designing the integration of hardware and software solutions.	5
S0025	Skill in detecting host and network based intrusions via intrusion detection technologies (e.g., Snort).	3
S0031	Skill in developing and applying security system access controls.	5
S0034	Skill in discerning the protection needs (i.e., security controls) of information systems and networks.	6
S0036	Skill in evaluating the adequacy of security designs.	4
S0060	Skill in writing code in a currently supported programming language (e.g., Java, C++).	7
S0085	Skill in conducting audits or reviews of technical systems.	3
S0097	Skill in applying security controls.	3
S0136	Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.	2
S0145	Skill in integrating and applying policies that meet system security objectives.	3
S0146	Skill in creating policies that enable systems to meet performance objectives (e.g. traffic routing, SLA's, CPU specifications).	1
S0160	Skill in the use of design modeling (e.g., unified modeling language).	3
S0367	Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	14

Abilities 2

Code	Description	Work Roles
A0123	Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	15
A0170	Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.	11

Tasks 36

Code	Description	Work Roles
T0558	Analyze user needs and requirements to plan and conduct system development.	1
T0559	Develop designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations.	1
T0560	Collaborate on cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information).	1
T0304	Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment.	2
T0326	Employ configuration management processes.	2
T0350	Conduct a market analysis to identify, assess, and recommend commercial, Government off-the-shelf, and open source products for use within a system and ensure recommended products are in compliance with organization's evaluation and validation requirements.	1
T0358	Design and develop system administration and management functionality for privileged access users.	1
T0359	Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies.	2
T0378	Incorporates risk-driven systems maintenance updates process to address system deficiencies (periodically and out of cycle).	1
T0406	Ensure that design and development activities are properly documented (providing a functional description of implementation) and updated as necessary.	1
T0447	Design hardware, operating systems, and software applications to adequately address requirements.	1
T0449	Design to security requirements to ensure requirements are met for all systems and/or applications.	2
T0464	Develop detailed design documentation for component and interface specifications to support system design and development.	1
T0466	Develop mitigation strategies to address cost, schedule, performance, and security risks.	2
T0480	Identify components or elements, allocate comprehensive functional components to include security functions, and describe the relationships between the elements.	1
T0488	Implement designs for new or existing system(s).	1
T0518	Perform security reviews and identify security gaps in architecture.	2
T0528	Provide input to implementation plans, standard operating procedures, maintenance documentation, and maintenance training materials	1
T0538	Provide support to test and evaluation activities.	1
T0541	Trace system requirements to design components and perform gap analysis.	2
T0544	Verify stability, interoperability, portability, and/or scalability of system architecture.	2
T0012	Analyze design constraints, analyze trade-offs and detailed system and security design, and consider life cycle support.	2
T0021	Build, test, and modify product prototypes using working models or theoretical models.	2
T0053	Design and develop cybersecurity or cybersecurity-enabled products.	2
T0056	Design or integrate appropriate data backup capabilities into overall system designs, and ensure that appropriate technical and procedural processes exist for secure system backups and protected storage of backup data.	2
T0061	Develop and direct system testing and validation procedures and documentation.	2
T0067	Develop architectures or system components consistent with technical specifications.	1
T0070	Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment.	2
T0107	Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable).	2
T0109	Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability.	2
T0119	Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure that recommended products are in compliance with organization's evaluation and validation requirements.	2
T0181	Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.	5
T0201	Provide guidelines for implementing developed systems to customers or installation teams.	2
T0205	Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).	6
T0228	Store, retrieve, and manipulate data for analysis of system capabilities and requirements.	4
T0242	Utilize models and simulations to analyze or predict system performance under different operating conditions.	2