Attention: CISA Learning is now available for External Users! The Federal Virtual Training Environment (FedVTE) has been permanently decommissioned and replaced by CISA Learning. Please reference the CISA Learning page for the latest information. Please note: CISA Users should wait to access CISA Learning until the system is ready for internal use in the coming days.

OG-WRL-001

Communications Security (COMSEC) Management

Responsible for managing the Communications Security (COMSEC) resources of an organization.

Task statements

T1015: Identify roles and responsibilities for appointed Communications Security (COMSEC) personnel
T1016: Identify Communications Security (COMSEC) incidents
T1017: Report Communications Security (COMSEC) incidents
T1018: Identify in-process accounting requirements for Communications Security (COMSEC)
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1022: Review enterprise information technology (IT) goals and objectives
T1023: Identify critical technology procurement requirements
T1058: Advise senior management on risk levels and security posture
T1059: Perform cost/benefit analyses of cybersecurity programs, policies, processes, systems, and elements
T1060: Advise senior management on organizational cybersecurity efforts
T1088: Communicate the value of cybersecurity to organizational stakeholders
T1113: Develop the enterprise continuity of operations strategy
T1114: Establish the enterprise continuity of operations program
T1178: Determine if security improvement actions are evaluated, validated, and implemented as required
T1186: Establish enterprise information security architecture
T1300: Report cybersecurity incidents
T1310: Implement protective or corrective measures when a cybersecurity incident or vulnerability is discovered

Knowledge statements

K0018: Knowledge of encryption algorithms
K0671: Knowledge of Communications Security (COMSEC) policies and procedures
K0672: Knowledge of the Communications Security (COMSEC) Material Control System (CMCS)
K0673: Knowledge of types of Communications Security (COMSEC) incidents
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0709: Knowledge of business continuity and disaster recovery (BCDR) policies and procedures
K0721: Knowledge of risk management principles and practices
K0724: Knowledge of incident response principles and practices
K0725: Knowledge of incident response tools and techniques
K0726: Knowledge of incident handling tools and techniques
K0731: Knowledge of systems security engineering (SSE) principles and practices
K0746: Knowledge of policy-based access controls
K0747: Knowledge of Risk Adaptive (Adaptable) Access Controls (RAdAC)
K0749: Knowledge of process engineering principles and practices
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0758: Knowledge of server administration principles and practices
K0765: Knowledge of software engineering principles and practices
K0771: Knowledge of system life cycle management principles and practices
K0779: Knowledge of systems engineering processes
K0798: Knowledge of program management principles and practices
K0799: Knowledge of project management principles and practices
K0803: Knowledge of supply chain risk management principles and practices
K0834: Knowledge of technology procurement principles and practices
K0840: Knowledge of hardware reverse engineering tools and techniques
K0842: Knowledge of software reverse engineering tools and techniques
K0851: Knowledge of reverse engineering principles and practices
K0865: Knowledge of data classification standards and best practices
K0866: Knowledge of data classification tools and techniques
K0928: Knowledge of systems engineering principles and practices
K0931: Knowledge of data-at-rest encryption (DARE) standards and best practices
K0932: Knowledge of cryptographic key storage systems and software
K0934: Knowledge of data classification policies and procedures
K0947: Knowledge of computer engineering principles and practices
K0983: Knowledge of computer networking principles and practices
K1014: Knowledge of network security principles and practices
K1050: Knowledge of critical information requirements
K1077: Knowledge of data security controls
K1084: Knowledge of data privacy controls
K1171: Knowledge of mission assurance practices and principles
K1179: Knowledge of organization's security strategy

Skill statements

S0486: Skill in implementing enterprise key escrow systems
S0574: Skill in developing security system controls
S0578: Skill in evaluating security designs
S0596: Skill in encrypting network communications
S0619: Skill in auditing technical systems
S0657: Skill in implementing Public Key Infrastructure (PKI) encryption
S0658: Skill in implementing digital signatures
S0841: Skill in identifying possible security violations
S0850: Skill in performing cost/benefit analysis
S0858: Skill in performing economic analysis
S0878: Skill in performing risk analysis

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)