Security Control Assessor

Work Role ID: 612 | Workforce Element: Cybersecurity

What does this work role do? Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST 800-37).

CORE KSATs

KSAT ID	Description	KSAT
19	Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.	Knowledge
22	* Knowledge of computer networking concepts and protocols, and network security methodologies.	Knowledge
40	Knowledge of organization’s evaluation and validation requirements.	Knowledge
55	Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data.	Knowledge
58	Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.	Knowledge
63	Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).	Knowledge
70	Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).	Knowledge
77	Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.	Knowledge
105	Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).	Knowledge
108	* Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).	Knowledge
183	Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.	Skill
197	Skill in discerning the protection needs (i.e., security controls) of information systems and networks.	Skill
537	Develop methods to monitor and measure risk, compliance, and assurance efforts.	Task
548	Develop specifications to ensure risk, compliance, and assurance efforts conform with security, resilience, and dependability requirements at the software application, system, and network environment level.	Task
566	Draft statements of preliminary or residual security risks for system operation.	Task
691	Maintain information systems assurance and accreditation materials.	Task
710	Monitor and evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements.	Task
1040A	Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure.	Knowledge
1072	Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).	Knowledge
1157	* Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity.	Knowledge
1158	* Knowledge of cybersecurity principles.	Knowledge
1159	* Knowledge of cyber threats and vulnerabilities.	Knowledge
6900	* Knowledge of specific operational impacts of cybersecurity lapses.	Knowledge
6935	* Knowledge of cloud computing service models Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).	Knowledge
6938	* Knowledge of cloud computing deployment models in private, public, and hybrid environment and the difference between on-premises and off-premises environments.	Knowledge

ADDITIONAL KSATs

KSAT ID	Description	KSAT
3B	Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.	Skill
27	Knowledge of cryptography and cryptographic key management concepts.	Knowledge
38	Knowledge of organization’s enterprise information security architecture system.	Knowledge
43A	Knowledge of embedded systems.	Knowledge
53A	Knowledge of security risk assessments and authorization per Risk Management Framework processes.	Knowledge
69A	Knowledge of risk management processes and requirements per the Risk Management Framework (RMF).	Knowledge
88	Knowledge of new and emerging information technology (IT) and cybersecurity technologies.	Knowledge
88A	Knowledge of current and emerging cyber technologies.	Knowledge
95B	Knowledge of penetration testing principles, tools, and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems).	Knowledge
121	Knowledge of structured analysis principles and methods.	Knowledge
128	Knowledge of systems diagnostic tools and fault identification techniques.	Knowledge
143	Knowledge of the organization’s enterprise information technology (IT) goals and objectives.	Knowledge
156	Skill in applying confidentiality, integrity, and availability principles.	Skill
203	Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.	Skill
417	Apply coding and testing standards, apply security testing tools including “‘fuzzing” static-analysis code scanning tools, and conduct code reviews.	Task
457	Conduct Privacy Impact Assessments (PIA) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII).	Task
772	Perform validation steps, comparing actual results with expected results and analyze the differences to identify impact and risks.	Task
775	Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.	Task
798	Provide an accurate technical evaluation of the software application, system, or network, documenting the security posture, capabilities, and vulnerabilities against relevant cybersecurity compliances.	Task
827	Recommend new or revised security, resilience, and dependability measures based on the results of reviews.	Task
836B	Review and approve security and privacy assessment plans.	Task
836	Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.	Task
878	Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.	Task
879	Verify that the software application/network/system accreditation and assurance documentation is current.	Task
936	Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).	Task
942	Knowledge of the organization’s core business/mission processes.	Knowledge
1034A	Knowledge of Personally Identifiable Information (PII) data security standards.	Knowledge
1034B	Knowledge of Payment Card Industry (PCI) data security standards.	Knowledge
1034C	Knowledge of Personal Health Information (PHI) data security standards.	Knowledge
1036	Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.	Knowledge
1037	Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.	Knowledge
1038B	Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).	Knowledge
1039	Skill in evaluating the trustworthiness of the supplier and/or product.	Skill
1131	Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).	Knowledge
1141A	Knowledge of an organization’s information classification program and procedures for information compromise.	Knowledge
1142	Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).	Knowledge
1146	Develop and Implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity requirements and accurately followed by Systems Administrators and other cybersecurity staff when performing their day-to-day activities.	Task