Security Control Assessor

Conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls (as defined in NIST 800-37).

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1146 additional Develop and Implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity requirements and accurately followed by Systems Administrators and other cybersecurity staff when performing their day-to-day activities.
• T417 additional Apply coding and testing standards, apply security testing tools including "fuzzing" static-analysis code scanning tools, and conduct code reviews.
• T457 additional Conduct Privacy Impact Assessments (PIA) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII).
• T537 additional Develop methods to monitor and measure risk, compliance, and assurance efforts.
• T548 additional Develop specifications to ensure risk, compliance, and assurance efforts conform with security, resilience, and dependability requirements at the software application, system, and network environment level.
• T566 additional Draft statements of preliminary or residual security risks for system operation.
• T691 additional Maintain information systems assurance and accreditation materials.
• T710 additional Monitor and evaluate a system's compliance with information technology (IT) security, resilience, and dependability requirements.
• T772 additional Perform validation steps, comparing actual results with expected results and analyze the differences to identify impact and risks.
• T775 additional Plan and conduct security authorization reviews and assurance case development for initial installation of systems and networks.
• T798 additional Provide an accurate technical evaluation of the software application, system, or network, documenting the security posture, capabilities, and vulnerabilities against relevant cybersecurity compliances.
• T827 additional Recommend new or revised security, resilience, and dependability measures based on the results of reviews.
• T836A additional Authorizing Official only: Determine if the security and privacy risk from operating a system or using a system, service, or application from an external provider is acceptable.
• T836B additional Review and approve security and privacy assessment plans.
• T878 additional Verify that application software/network/system security postures are implemented as stated, document deviations, and recommend required actions to correct those deviations.
• T879 additional Verify that the software application/network/system accreditation and assurance documentation is current.
• T936 additional Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• K0019 knowledge core Knowledge of cyber defense and vulnerability assessment tools, including open source tools, and their capabilities.
• K0040 knowledge core Knowledge of organization's evaluation and validation requirements.
• K0055 knowledge core Knowledge of cybersecurity principles used to manage risks related to the use, processing, storage, and transmission of information or data.
• K0058 knowledge core Knowledge of known vulnerabilities from alerts, advisories, errata, and bulletins.
• K0063 knowledge core Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• K0070 knowledge core Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
• K0077 knowledge core Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
• K0105 knowledge core Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
• K053A knowledge core Knowledge of risk assessments and authorization per Risk Management Framework processes.
• K069A knowledge core Knowledge of risk management processes and requirements per the Risk Management Framework (RMF).
• K095B knowledge core Knowledge of penetration testing principles, tools, and techniques, including specialized tools for non-traditional systems and networks (e.g., control systems).
• K1040A knowledge core Knowledge of relevant laws, policies, procedures, or governance related to critical infrastructure.
• K1072 knowledge core Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
• S183 skill core Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
• S197 skill core Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
• K0027 knowledge additional Knowledge of cryptography and cryptographic key management concepts.
• K0038 knowledge additional Knowledge of organization's enterprise information security architecture system.
• K0121 knowledge additional Knowledge of structured analysis principles and methods.
• K0128 knowledge additional Knowledge of systems diagnostic tools and fault identification techniques.
• K0143 knowledge additional Knowledge of the organization’s enterprise information technology (IT) goals and objectives.
• K043A knowledge additional Knowledge of embedded systems.
• K088B knowledge additional Knowledge of new and emerging control systems technologies.
• K0942 knowledge additional Knowledge of the organization's core business/mission processes.
• K1034A knowledge additional Knowledge of Personally Identifiable Information (PII) data security standards.
• K1034B knowledge additional Knowledge of Payment Card Industry (PCI) data security standards.
• K1034C knowledge additional Knowledge of Personal Health Information (PHI) data security standards.
• K1036 knowledge additional Knowledge of applicable laws (e.g., Electronic Communications Privacy Act, Foreign Intelligence Surveillance Act, Protect America Act, search and seizure laws, civil liberties and privacy laws), statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures relevant to work performed.
• K1037 knowledge additional Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.
• K1038B knowledge additional Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).
• K1131 knowledge additional Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zackman, Federal Enterprise Architecture [FEA]).
• K1141A knowledge additional Knowledge of an organization's information classification program and procedures for information compromise.
• K1142 knowledge additional Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
• S1039 skill additional Skill in evaluating the trustworthiness of the supplier and/or product.
• S156 skill additional Skill in applying confidentiality, integrity, and availability principles.
• S203 skill additional Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
• S3B skill additional Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.

Other roles in this element