Authorizing Official/Designated Representative

Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation (CNSSI 4009).

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1146 additional Develop and Implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity requirements and accurately followed by Systems Administrators and other cybersecurity staff when performing their day-to-day activities.
• T5320 additional Establish acceptable limits for the software application, network, or system.
• T5824 additional Authorizing Official only: Approve security and privacy assessment plans for systems and environments of operation.
• T5827 additional Determine the authorization boundaries of systems.
• T5837 additional Respond to threats and vulnerabilities based on the results of ongoing/continuous monitoring activities and risk assessments and decide if risk remains acceptable.
• T5838 additional Review and approve security categorization results for systems.
• T5839 additional Review security and privacy assessment plans for systems and environments of operation.
• T600 additional Evaluate cost benefit, economic, and risk analysis in decision making process.
• T696B additional Authorizing Official only: Approve authorization packages.
• T696C additional Manage authorization packages.
• T710 additional Monitor and evaluate a system's compliance with information technology (IT) security, resilience, and dependability requirements.
• T801B additional Provide cybersecurity and supply chain risk management guidance.
• T836A additional Authorizing Official only: Determine if the security and privacy risk from operating a system or using a system, service, or application from an external provider is acceptable.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• K0038 knowledge core Knowledge of organization's enterprise information security architecture system.
• K0053 knowledge core Knowledge of measures or indicators of system performance and availability.
• K0055 knowledge core Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data.
• K0063 knowledge core Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• K0069 knowledge core Knowledge of Risk Management Framework (RMF) requirements.
• K0077 knowledge core Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
• K0088 knowledge core Knowledge of systems administration concepts.
• K0121 knowledge core Knowledge of structured analysis principles and methods.
• K0979 knowledge core Knowledge of supply chain risk management standards, processes, and practices.
• K1034A knowledge core Knowledge of Personally Identifiable Information (PII) data security standards.
• K1036 knowledge core Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
• K1037 knowledge core Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.
• K1037A knowledge core Knowledge of information technology (IT) risk management policies, requirements, and procedures.
• K1040A knowledge core Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure.
• K1072 knowledge core Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
• K156A knowledge core Knowledge of confidentiality, integrity, and availability principles.
• K6936 knowledge core Knowledge of types of authorizations.
• S197 skill core Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
• K0019 knowledge additional Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.
• K0027 knowledge additional Knowledge of cryptography and cryptographic key management concepts.
• K0040 knowledge additional Knowledge of organization's evaluation and validation requirements.
• K0058 knowledge additional Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.
• K0070 knowledge additional Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
• K0098 knowledge additional Knowledge of policy-based and risk adaptive access controls.
• K0105 knowledge additional Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• K0128 knowledge additional Knowledge of systems diagnostic tools and fault identification techniques.
• K0143 knowledge additional Knowledge of the organization’s enterprise information technology (IT) goals and objectives.
• K0325 knowledge additional Knowledge of secure acquisitions (e.g., relevant Contracting Officer's Technical Representative [COTR] duties, secure procurement, supply chain risk management).
• K043A knowledge additional Knowledge of embedded systems.
• K0942 knowledge additional Knowledge of the organization's core business/mission processes.
• K0952 knowledge additional Knowledge of emerging security issues, risks, and vulnerabilities.
• K095A knowledge additional Knowledge of penetration testing principles, tools, and techniques.
• K0965 knowledge additional Knowledge of organization's risk tolerance and/or risk management approach.
• K1034B knowledge additional Knowledge of Payment Card Industry (PCI) data security standards.
• K1034C knowledge additional Knowledge of Personal Health Information (PHI) data security standards.
• K1038 knowledge additional Knowledge of local specialized system requirements (e.g., critical infrastructure systems that may not use standard information technology [IT]) for safety, performance, and reliability.
• K1131 knowledge additional Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).
• K1142 knowledge additional Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
• K1157A knowledge additional Knowledge of national and international laws, regulations, policies, and ethics as they relate to cybersecurity and AI.
• K177B knowledge additional Knowledge of countermeasures for identified security risks.
• K3591 knowledge additional Knowledge of organization objectives, leadership priorities, and decision-making risks.
• K6931 knowledge additional Knowledge of methods and techniques for analyzing risk.
• S179 skill additional Skill in designing security controls based on cybersecurity principles and tenets.

Other roles in this element