Security Control Assessor

Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST SP 800-37).

Below are the Knowledge, Skills, Abilities and Tasks identified as being required to perform this work role.

Knowledge of computer networking concepts and protocols, and network security methodologies.
Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
K0003Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
K0004Knowledge of cybersecurity and privacy principles.
K0005Knowledge of cyber threats and vulnerabilities.
K0006Knowledge of specific operational impacts of cybersecurity lapses.
K0007Knowledge of authentication, authorization, and access control methods.
K0008Knowledge of applicable business processes and operations of customer organizations.
K0009Knowledge of application vulnerabilities.
K0010Knowledge of communication methods, principles, and concepts that support the network infrastructure.
K0011Knowledge of capabilities and applications of network equipment including routers, switches, bridges, servers, transmission media, and related hardware.
K0013Knowledge of cyber defense and vulnerability assessment tools and their capabilities.
K0018Knowledge of encryption algorithms
K0019Knowledge of cryptography and cryptographic key management concepts
K0021Knowledge of data backup and recovery.
K0024Knowledge of database systems.
K0026Knowledge of business continuity and disaster recovery continuity of operations plans.
K0027Knowledge of organization’s enterprise information security architecture.
K0028Knowledge of organization’s evaluation and validation requirements.
K0029Knowledge of organization’s Local and Wide Area Network connections.
K0037Knowledge of Security Assessment and Authorization process.
K0038Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data.
K0040Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins).
K0044Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
K0048Knowledge of Risk Management Framework (RMF) requirements.
K0049Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
K0054Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
K0056Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).
K0059Knowledge of new and emerging information technology (IT) and cybersecurity technologies.
K0070Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0084Knowledge of structured analysis principles and methods.
K0089Knowledge of systems diagnostic tools and fault identification techniques.
K0098Knowledge of the cyber defense Service Provider reporting structure and processes within one??s own organization.
K0100Knowledge of the enterprise information technology (IT) architecture.
K0101Knowledge of the organization??s enterprise information technology (IT) goals and objectives.
K0126Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161)
K0146Knowledge of the organization’s core business/mission processes.
K0168Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
K0169Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures.
K0170Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations.
K0179Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
K0199Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]).
K0203Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
K0260Knowledge of Personally Identifiable Information (PII) data security standards.
K0261Knowledge of Payment Card Industry (PCI) data security standards.
K0262Knowledge of Personal Health Information (PHI) data security standards.
K0267Knowledge of laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures.
K0287Knowledge of an organization’s information classification program and procedures for information compromise.
K0322Knowledge of embedded systems.
K0342Knowledge of penetration testing principles, tools, and techniques.
K0622Knowledge of controls related to the use, processing, storage, and transmission of data.
K0624Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
S0001Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.
S0006Skill in applying confidentiality, integrity, and availability principles.
S0027Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
S0034Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
S0038Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
S0073Skill in using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.).
S0078Skill in recognizing and categorizing types of vulnerabilities and associated attacks.
S0097Skill in applying security controls.
S0100Skill in utilizing or developing learning activities (e.g., scenarios, instructional games, interactive exercises).
S0110Skill in identifying Test & Evaluation infrastructure (people, ranges, tools, instrumentation) requirements.
S0111Skill in interfacing with customers.
S0112Skill in managing test assets, test resources, and test personnel to ensure effective completion of test events.
S0115Skill in preparing Test & Evaluation reports.
S0120Skill in reviewing logs to identify evidence of past intrusions.
S0124Skill in troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution.
S0128Skill in using manpower and personnel IT systems.
S0134Skill in conducting reviews of systems.
S0135Skill in secure test plan design (e. g. unit, integration, system, acceptance).
S0136Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
S0137Skill in conducting application vulnerability assessments.
S0138Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).
S0141Skill in assessing security systems designs.
S0145Skill in integrating and applying policies that meet system security objectives.
S0147Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).
S0171Skill in performing impact/risk assessments.
S0172Skill in applying secure coding techniques.
S0173Skill in using security event correlation tools.
S0174Skill in using code analysis tools.
S0175Skill in performing root cause analysis.
S0176Skill in administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.
S0177Skill in analyzing a target’s communication networks.
S0184Skill in analyzing traffic to identify network devices.
S0232Skill in identifying intelligence gaps and limitations.
S0233Skill in identifying language issues that may have an impact on organization objectives.
S0234Skill in identifying leads for target development.
S0235Skill in identifying non-target regional languages and dialects
S0236Skill in identifying the devices that work at each level of protocol models.
S0237Skill in identifying, locating, and tracking targets via geospatial analysis techniques
S0238Skill in information prioritization as it relates to operations.
S0239Skill in interpreting compiled and interpretive programming languages.
S0240Skill in interpreting metadata and content as applied by collection systems.
S0241Skill in interpreting traceroute results, as they apply to network analysis and reconstruction.
S0242Skill in interpreting vulnerability scanner results to identify vulnerabilities.
S0243Skill in knowledge management, including technical documentation techniques (e.g., Wiki page).
S0244Skill in managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results.
S0248Skill in performing target system analysis.
S0249Skill in preparing and presenting briefings.
S0250Skill in preparing plans and related correspondence.
S0251Skill in prioritizing target language material.
S0252Skill in processing collected data for follow-on analysis.
S0254Skill in providing analysis to aid writing phased after action reports.
S0271Skill in reviewing and editing assessment products.
S0273Skill in reviewing and editing plans.
S0278Skill in tailoring analysis to the necessary levels (e.g., classification and organizational).
S0279Skill in target development in direct support of collection operations.
S0280Skill in target network anomaly identification (e.g., intrusions, dataflow or processing, target implementation of new technologies).
S0281Skill in technical writing.
S0296Skill in utilizing feedback to improve processes, products, and services.
S0304Skill to access information on current assets available, usage.
S0305Skill to access the databases where plans/directives/guidance are maintained.
S0306Skill to analyze strategic guidance for issues requiring clarification and/or additional guidance.
S0307Skill to analyze target or threat sources of strength and morale.
S0325Skill to develop a collection plan that clearly shows the discipline that can be used to collect the information needed.
S0329Skill to evaluate requests for information to determine if response information exists.
S0332Skill to extract information from available tools and applications associated with collection requirements and collection operations management.
S0367Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
S0370Skill to use cyber defense Service Provider reporting structure and processes within one??s own organization.
S0374Skill to identify cybersecurity and privacy issues that stem from connections with internal and external customers and partner organizations.
A0001Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.
A0011Ability to answer questions in a clear and concise manner.
A0012Ability to ask clarifying questions.
A0013Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
A0014Ability to communicate effectively when writing.
A0015Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.
A0016Ability to facilitate small group discussions.
A0018Ability to prepare and present briefings.
A0019Ability to produce technical documentation.
A0023Ability to design valid and reliable assessments.
A0026Ability to analyze test data.
A0030Ability to collect, verify, and validate test data.
A0035Ability to dissect a problem and examine the interrelationships between data that may appear unrelated.
A0036Ability to identify basic common coding flaws at a high level.
A0040Ability to translate data and test results into evaluative conclusions.
A0056Ability to ensure security practices are followed throughout the acquisition process.
A0069Ability to apply collaborative skills and strategies.
A0070Ability to apply critical reading/thinking skills.
A0082Ability to effectively collaborate via virtual teams.
A0083Ability to evaluate information for reliability, validity, and relevance.
A0084Ability to evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.
A0085Ability to exercise judgment when policies are not well-defined.
A0086Ability to expand network access by conducting target analysis and collection to identify targets of interest.
A0087Ability to focus research efforts to meet the customer??s decision-making needs.
A0088Ability to function effectively in a dynamic, fast-paced environment.
A0089Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts??both internal and external to the organization??to leverage analytical and technical expertise.
A0090Ability to identify external partners with common cyber operations interests.
A0091Ability to identify intelligence gaps.
A0092Ability to identify/describe target vulnerability.
A0093Ability to identify/describe techniques/methods for conducting technical exploitation of the target.
A0094Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.
A0095Ability to interpret and translate customer requirements into operational action.
A0096Ability to interpret and understand complex and rapidly evolving concepts.
A0098Ability to participate as a member of planning teams, coordination groups, and task forces as necessary.
A0101Ability to recognize and mitigate cognitive biases which may affect analysis.
A0106Ability to think critically.
A0108Ability to understand objectives and effects.
A0109Ability to utilize multiple intelligence sources across all intelligence disciplines.
A0111Ability to work across departments and business units to implement organization??s privacy principles and programs, and align privacy objectives with security objectives.
A0112Ability to monitor advancements in information privacy technologies to ensure organizational adaptation and compliance.
A0114Ability to develop or procure curriculum that speaks to the topic at the appropriate level for the target.
A0115Ability to work across departments and business units to implement organization??s privacy principles and programs, and align privacy objectives with security objectives.
A0116Ability to prioritize and allocate cybersecurity resources correctly and efficiently.
A0117Ability to relate strategy, business, and technology in the context of organizational dynamics.
A0118Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
A0119Ability to understand the basic concepts and issues related to cyber and its organizational impact.
A0123Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
A0170Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.
T0145Manage and approve Accreditation Packages (e.g., ISO/IEC 15026-2).
T0177Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
T0178Perform security reviews and identify security gaps in security architecture resulting in recommendations for inclusion in the risk mitigation strategy.
T0181Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
T0184Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.
T0205Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
T0221Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.
T0243Verify and update security documentation reflecting the application/system security design features.
T0244Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
T0251Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).
T0255Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk.
T0264Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
T0265Assure successful implementation and functionality of security requirements and appropriate information technology (IT) policies and procedures that are consistent with the organization’s mission and goals.
T0268Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment.
T0272Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.
T0275Support necessary compliance activities (e.g., ensure that system security configuration guidelines are followed, compliance monitoring occurs).
T0277Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
T0309Assess the effectiveness of security controls.
T0344Assess all the configuration management (change configuration/release management) processes.
T0371Establish acceptable limits for the software application, network, or system.
T0495Manage Accreditation Packages (e.g., ISO/IEC 15026-2).