Security Architect

Ensures that the stakeholder security requirements necessary to protect the organization’s mission and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting systems supporting those missions and business processes.

Below are the Knowledge, Skills, Abilities and Tasks identified as being required to perform this work role.

Knowledge of computer networking concepts and protocols, and network security methodologies.
Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
K0003Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
K0004Knowledge of cybersecurity and privacy principles.
K0005Knowledge of cyber threats and vulnerabilities.
K0006Knowledge of specific operational impacts of cybersecurity lapses.
K0007Knowledge of authentication, authorization, and access control methods.
K0008Knowledge of applicable business processes and operations of customer organizations.
K0009Knowledge of application vulnerabilities.
K0010Knowledge of communication methods, principles, and concepts that support the network infrastructure.
K0011Knowledge of capabilities and applications of network equipment including routers, switches, bridges, servers, transmission media, and related hardware.
K0012Knowledge of capabilities and requirements analysis.
K0013Knowledge of cyber defense and vulnerability assessment tools and their capabilities.
K0015Knowledge of computer algorithms.
K0018Knowledge of encryption algorithms
K0019Knowledge of cryptography and cryptographic key management concepts
K0024Knowledge of database systems.
K0026Knowledge of business continuity and disaster recovery continuity of operations plans.
K0027Knowledge of organization’s enterprise information security architecture.
K0030Knowledge of electrical engineering as applied to computer architecture (e.g., circuit boards, processors, chips, and computer hardware).
K0035Knowledge of installation, integration, and optimization of system components.
K0036Knowledge of human-computer interaction principles.
K0037Knowledge of Security Assessment and Authorization process.
K0043Knowledge of industry-standard and organizationally accepted analysis principles and methods.
K0044Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
K0052Knowledge of mathematics (e.g. logarithms, trigonometry, linear algebra, calculus, statistics, and operational analysis).
K0055Knowledge of microprocessors.
K0056Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).
K0057Knowledge of network hardware devices and functions.
K0059Knowledge of new and emerging information technology (IT) and cybersecurity technologies.
K0060Knowledge of operating systems.
K0061Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
K0063Knowledge of parallel and distributed computing concepts.
K0071Knowledge of remote access technology concepts.
K0074Knowledge of key concepts in security management (e.g., Release Management, Patch Management).
K0082Knowledge of software engineering.
K0091Knowledge of systems testing and evaluation methods.
K0092Knowledge of technology integration processes.
K0093Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link Budgeting, Spectral efficiency, Multiplexing).
K0102Knowledge of the systems engineering process.
K0170Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations.
K0180Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
K0198Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions).
K0200Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).
K0202Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).
K0211Knowledge of confidentiality, integrity, and availability requirements.
K0212Knowledge of cybersecurity-enabled software products.
K0214Knowledge of the Risk Management Framework Assessment Methodology.
K0227Knowledge of various types of computer architectures.
K0240Knowledge of multi-level security systems and cross domain solutions.
K0260Knowledge of Personally Identifiable Information (PII) data security standards.
K0261Knowledge of Payment Card Industry (PCI) data security standards.
K0262Knowledge of Personal Health Information (PHI) data security standards.
K0264Knowledge of program protection planning (e.g. information technology (IT) supply chain security/risk management policies, anti-tampering techniques, and requirements).
K0275Knowledge of configuration management techniques.
K0277Knowledge of current and emerging data encryption (e.g., Column and Tablespace Encryption, file and disk encryption) security features in databases (e.g. built-in cryptographic key management features).
K0286Knowledge of N-tiered typologies (e.g. including server and client operating systems).
K0287Knowledge of an organization’s information classification program and procedures for information compromise.
K0291Knowledge of the enterprise information technology (IT) architectural concepts and patterns (e.g., baseline, validated design, and target architectures.)
K0293Knowledge of integrating the organization??s goals and objectives into the architecture.
K0320Knowledge of organization’s evaluation and validation criteria.
K0322Knowledge of embedded systems.
K0323Knowledge of system fault tolerance methodologies.
K0325Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).
K0326Knowledge of demilitarized zones.
K0332Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
K0333Knowledge of network design processes, to include understanding of security objectives, operational objectives, and trade-offs.
K0336Knowledge of access authentication methods.
K0374WITHDRAWN: Knowledge of basic structure, architecture, and design of modern digital and telephony networks. (See K0599)
K0565Knowledge of the common networking and routing protocols (e.g. TCP/IP), services (e.g., web, mail, DNS), and how they interact to provide network communications.
IDDESCRIPTION
S0005Skill in applying and incorporating information technologies into proposed solutions.
S0022Skill in designing countermeasures to identified security risks.
S0024Skill in designing the integration of hardware and software solutions.
S0027Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
S0050Skill in design modeling and building use cases (e.g., unified modeling language).
S0059Skill in using Virtual Private Network (VPN) devices and encryption.
S0061Skill in writing test plans.
S0076Skill in configuring and utilizing software-based computer protection tools (e.g., software firewalls, antivirus software, anti-spyware).
S0116Skill in designing multi-level security/cross domain solutions.
S0122Skill in the use of design methods.
S0138Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).
S0139Skill in applying security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
S0152Skill in translating operational requirements into protection needs (i.e., security controls).
S0168Skill in setting up physical or logical sub-networks that separate an internal local area network (LAN) from other untrusted networks.
S0170Skill in configuring and utilizing computer protection components (e.g., hardware firewalls, servers, routers, as appropriate).
S0367Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
S0374Skill to identify cybersecurity and privacy issues that stem from connections with internal and external customers and partner organizations.
IDDESCRIPTION
A0008Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization’s enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]).
A0014Ability to communicate effectively when writing.
A0015Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.
A0027Ability to apply an organization’s goals and objectives to develop and maintain architecture.
A0038Ability to optimize systems to meet enterprise performance requirements.
A0048Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
A0049Ability to apply secure system design tools, methods and techniques.
A0050Ability to apply system design tools, methods, and techniques, including automated systems analysis and design tools.
A0061Ability to design architectures and frameworks.
A0123Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
A0148Ability to serve as the primary liaison between the enterprise architect and the systems security engineer and coordinates with system owners, common control providers, and system security officers on the allocation of security controls as system-specific, hybrid, or common controls.
A0149Ability, in close coordination with system security officers, advise authorizing officials, chief information officers, senior information security officers, and the senior accountable official for risk management/risk executive (function), on a range of security-related issues (e.g. establishing system boundaries; assessing the severity of weaknesses and deficiencies in the system; plans of action and milestones; risk mitigation approaches; security alerts; and potential adverse effects of identified vulnerabilities).
A0170Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.
A0172Ability to set up a physical or logical sub-networks that separates an internal local area network (LAN) from other untrusted networks.
IDDESCRIPTION
T0050Define and prioritize essential system capabilities or business functions required for partial or full system restoration after a catastrophic failure event.
T0051Define appropriate levels of system availability based on critical system functions and ensure that system requirements identify appropriate disaster recovery and continuity of operations requirements to include any appropriate fail-over/alternate site requirements, backup requirements, and material supportability requirements for system recover/restoration.
T0071Develop/integrate cybersecurity designs for systems and networks with multilevel security requirements or requirements for the processing of multiple classification levels of data primarily applicable to government organizations (e.g., UNCLASSIFIED, SECRET, and TOP SECRET).
T0082Document and address organization’s information security, cybersecurity architecture, and systems security engineering requirements throughout the acquisition life cycle.
T0084Employ secure configuration management processes.
T0090Ensure that acquired or developed system(s) and architecture(s) are consistent with organization’s cybersecurity architecture guidelines.
T0108Identify and prioritize critical business functions in collaboration with organizational stakeholders.
T0177Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
T0196Provide advice on project costs, design concepts, or design changes.
T0203Provide input on security requirements to be included in statements of work and other appropriate procurement documents.
T0205Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
T0268Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment.
T0307Analyze candidate architectures, allocate security services, and select security mechanisms.
T0314Develop a system security context, a preliminary system security Concept of Operations (CONOPS), and define baseline system security requirements in accordance with applicable cybersecurity requirements.
T0328Evaluate security architectures and designs to determine the adequacy of security design and architecture proposed or provided in response to requirements contained in acquisition documents.
T0338Write detailed functional specifications that document the architecture development process.
T0427Analyze user needs and requirements to plan architecture.
T0448Develop enterprise architecture or system components required to meet user needs.
T0473Document and update as necessary all definition and architecture activities.
T0484Determine the protection needs (i.e., security controls) for the information system(s) and network(s) and document appropriately.
T0542Translate proposed capabilities into technical requirements.
T0556Assess and design security management functions as related to cyberspace.