Security Architect

Work Role ID: 652  |  Workforce Element: Cybersecurity

What does this work role do? Designs enterprise and systems security throughout the development lifecycle; translates technology and environmental conditions (e.g., law and regulation) into security designs and processes.

KSAT ID Description KSAT
22 * Knowledge of computer networking concepts and protocols, and network security methodologies. Knowledge
38 Knowledge of organization’s enterprise information security architecture system. Knowledge
63 Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). Knowledge
68B Ability to design architectures and frameworks. Ability
70B Skill in applying cybersecurity methods, such as firewalls, demilitarized zones, and encryption. Skill
108 * Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). Knowledge
143A Knowledge of integrating the organization’s goals and objectives into the architecture. Knowledge
183 Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. Skill
197A Skill in translating operational requirements into protection needs (i.e., security controls). Skill
534 Develop/integrate cybersecurity designs for systems and networks with multilevel security requirements or requirements for the processing of multiple classification levels of data primarily applicable to government organizations (e.g., UNCLASSIFIED, SECRET, and TOP SECRET). Task
561 Document and address organization’s information security, cybersecurity architecture, and systems security engineering requirements throughout the acquisition lifecycle. Task
568 Employ secure configuration management processes. Task
579 Ensure acquired or developed system(s) and architecture(s) are consistent with organization’s cybersecurity architecture guidelines. Task
631 Identify and prioritize critical business functions in collaboration with organizational stakeholders. Task
646A Document the protection needs (i.e., security controls) for the information system(s) and network(s) and document appropriately. Task
765 Perform security reviews, identify gaps in security architecture, and develop a security risk management plan. Task
994 Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment. Task
1072A Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth). Ability
1157 * Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity. Knowledge
1158 * Knowledge of cybersecurity principles. Knowledge
1159 * Knowledge of cyber threats and vulnerabilities. Knowledge
2248 Develop a system security context, a preliminary system security CONOPS, and define baseline system security requirements in accordance with applicable cybersecurity requirements. Task
2390 Evaluate security architectures and designs to determine the adequacy of security design and architecture proposed or provided in response to requirements contained in acquisition documents. Task
3307 Knowledge of cybersecurity-enabled software products. Knowledge
6030 Ability to apply an organization’s goals and objectives to develop and maintain architecture. Ability
6900 * Knowledge of specific operational impacts of cybersecurity lapses. Knowledge
6935 * Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). Knowledge
6938 * Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments. Knowledge
KSAT ID Description KSAT
8 Knowledge of authentication, authorization, and access control methods. Knowledge
21 Knowledge of computer algorithms. Knowledge
25 Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]). Knowledge
27 Knowledge of cryptography and cryptographic key management concepts. Knowledge
34 Knowledge of database systems. Knowledge
40A Knowledge of organization’s evaluation and validation criteria. Knowledge
42 Knowledge of electrical engineering as applied to computer architecture, including circuit boards, processors, chips, and associated computer hardware. Knowledge
43A Knowledge of embedded systems. Knowledge
46A Knowledge of system fault tolerance methodologies. Knowledge
51 Knowledge of how system components are installed, integrated, and optimized. Knowledge
52 Knowledge of human-computer interaction principles. Knowledge
53A Knowledge of security risk assessments and authorization per Risk Management Framework processes. Knowledge
53 Knowledge of the Security Assessment and Authorization process. Knowledge
62 Knowledge of industry-standard and organizationally accepted analysis principles and methods. Knowledge
65A Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression). Knowledge
69A Knowledge of risk management processes and requirements per the Risk Management Framework (RMF). Knowledge
75 Knowledge of mathematics, including logarithms, trigonometry, linear algebra, calculus, and statistics. Knowledge
78 Knowledge of microprocessors. Knowledge
79 Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]). Knowledge
81A Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services. Knowledge
82A Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs. Knowledge
90 Knowledge of operating systems. Knowledge
92 Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]). Knowledge
94 Knowledge of parallel and distributed computing concepts. Knowledge
109A Knowledge of configuration management techniques. Knowledge
110 Knowledge of key concepts in security management (e.g., Release Management, Patch Management). Knowledge
111A Ability to apply secure system design tools, methods and techniques. Ability
113A Knowledge of N-tiered typologies including server and client operating systems. Knowledge
119 Knowledge of software engineering. Knowledge
124A Ability to apply system design tools, methods, and techniques, including automated systems analysis and design tools. Ability
130 Knowledge of systems testing and evaluation methods. Knowledge
132 Knowledge of technology integration processes. Knowledge
133 Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers). Knowledge
141A Knowledge of the enterprise information technology (IT) architectural concepts and patterns to include baseline and target architectures. Knowledge
144 Knowledge of the systems engineering process. Knowledge
155 Skill in applying and incorporating information technologies into proposed solutions. Skill
180 Skill in designing the integration of hardware and software solutions. Skill
224 Skill in design modeling and building use cases (e.g., unified modeling language). Skill
238A Skill in writing code in a currently supported programming language (e.g., Java, C++). Skill
413A Analyze user needs and requirements to plan architecture. Task
465 Develop threat model based on customer interviews and requirements. Task
483 Define and prioritize essential system capabilities or business functions required for partial or full system restoration after a catastrophic failure event. Task
484 Define appropriate levels of system availability based on critical system functions and ensure system requirements identify appropriate disaster recovery and continuity of operations requirements to include any appropriate fail-over/alternate site requirements, backup requirements, and material supportability requirements for system recover/restoration. Task
502A Develop enterprise architecture or system components required to meet user needs. Task
525A Develop procedures and test fail-over for system operations transfer to an alternate site based on system availability requirements. Task
569A Document and update as necessary all definition and architecture activities. Task
602 Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration. Task
669 Integrate and align information security and/or cybersecurity policies to ensure system analysis meets security requirements. Task
797 Provide advice on project costs, design concepts, or design changes. Task
807 Provide input on security requirements to be included in statements of work and other appropriate procurement documents. Task
809 Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials). Task
864A Translate proposed capabilities into technical requirements. Task
865 Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria. Task
936 Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers). Task
993A Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization’s enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]). Ability
996A Assess and design security management functions as related to cyberspace. Task
1034C Knowledge of Personal Health Information (PHI) data security standards. Knowledge
1034B Knowledge of Payment Card Industry (PCI) data security standards. Knowledge
1034A Knowledge of Personally Identifiable Information (PII) data security standards. Knowledge
1037B Knowledge of program protection planning to include information technology (IT) supply chain security/risk management policies, anti-tampering techniques, and requirements. Knowledge
1038 Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability. Knowledge
1038B Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability). Knowledge
1073 Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools. Knowledge
1125 Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration. Knowledge
1130 Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions). Knowledge
1133 Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]). Knowledge
1135 Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing). Knowledge
1136A Knowledge of use cases related to collaboration and content synchronization across platforms (e.g., Mobile, PC, Cloud). Knowledge
1140A Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic). Skill
1141A Knowledge of an organization’s information classification program and procedures for information compromise. Knowledge
1142B Skill in applying security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model). Skill
1147A Develop data management capabilities (e.g., cloud based, centralized cryptographic key management) to include support to the mobile workforce. Task
2014 Analyze candidate architectures, allocate security services, and select security mechanisms. Task
2887 Write detailed functional specifications that document the architecture development process. Task
3153 Knowledge of circuit analysis. Knowledge
3246 Knowledge of confidentiality, integrity, and availability requirements. Knowledge
3642 Knowledge of various types of computer architectures. Knowledge
6150 Ability to optimize systems to meet enterprise performance requirements. Ability
6210 Knowledge of cloud service models and possible limitations for an incident response. Knowledge
6330 Knowledge of multi-level/security cross domain solutions. Knowledge
6640 Skill in designing multi-level security/cross domain solutions. Skill
6680 Skill in the use of design methods. Skill
6918 Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments. Ability
6919 Ability to determine the best cloud deployment model for the appropriate operating environment. Ability
6942 Skill in designing or implementing cloud computing deployment models. Skill
6945 Skill in migrating workloads to, from, and among the different cloud computing service models. Skill