Attention: CISA Learning is now available! If you are an EXTERNAL (non-CISA) user access the new system using this url: CISA Learning. The Federal Virtual Training Environment (FedVTE) has been permanently decommissioned and replaced by CISA Learning. Please reference the CISA Learning page for the latest information. Please note: CISA Users (staff and contractors) should access CISA Learning through the internal site. You should have received an email on December 4, 2024, titled “CISA Learning is LIVE!” with more information.

CI-WRL-004

Cyber Intelligence Planning

Responsible for developing intelligence plans to satisfy cyber operation requirements. Identifies, validates, and levies requirements for intelligence collection and analysis. Participates in targeting selection, validation, synchronization, and execution of cyber actions. Synchronizes intelligence activities to support organization objectives in cyberspace.

Task statements

T0630: Incorporate intelligence equities into the overall design of cyber operations plans
T0718: Identify intelligence gaps and shortfalls
T0734: Issue requests for information
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1023: Identify critical technology procurement requirements
T1033: Support cyber operations
T1035: Determine how threat activity groups employ encryption to support their operations
T1036: Integrate leadership priorities
T1037: Develop operations strategies
T1038: Integrate organization objectives in intelligence collection
T1043: Determine staffing needs
T1044: Review course of action analysis results
T1045: Review exercise analysis results
T1046: Assess operation performance
T1047: Assess operation impact
T1048: Synchronize operational assessment procedures and critical information requirement processes
T1054: Scope analysis reports to various audiences that accounts for data sharing classification restrictions
T1456: Determine the impact of threats on cybersecurity
T1457: Implement threat countermeasures
T1637: Coordinate intelligence support to operational planning
T1638: Recommend cyber operation targets
T1639: Assess target vulnerabilities and operational capabilities
T1644: Develop cyber operations indicators
T1647: Develop priority information requirements
T1649: Synchronize intelligence support plans across partner organizations
T1650: Develop cybersecurity success metrics
T1657: Develop a diverse program of information materials
T1661: Assess all-source data for intelligence or vulnerability value
T1678: Develop cyber operations crisis action plans
T1679: Develop organizational decision support tools
T1684: Communicate information requirements to collection managers
T1685: Assess capability to satisfy assigned intelligence tasks
T1686: Identify intelligence requirements
T1687: Draft intelligence sections of cyber operations plans
T1688: Identify strategies to counter potential target actions
T1702: Integrate intelligence guidance into cyber operations planning activities
T1705: Provide intelligence guidance to cyber operations requirements
T1712: Recommend potential courses of action
T1717: Recommend changes to planning policies and procedures
T1718: Implement changes to planning policies and procedures
T1727: Develop cyber intelligence collection and production requirements
T1728: Implement collection operation plans
T1729: Synchronize intelligence planning activities with operational planning timelines
T1738: Determine cyber operations partner intelligence capabilities and limitations
T1739: Develop intelligence collection requirements
T1741: Designate priority information requirements
T1750: Identify intelligence environment preparation derived production needs
T1752: Develop courses of action based on threat factors
T1756: Interpret environment preparation assessments
T1761: Determine if changes to the operating environment require review of the plan
T1779: Coordinate strategic planning efforts with internal and external partners
T1791: Provide cyber recommendations to intelligence support planning
T1800: Recommend changes to operational plans
T1815: Develop cyber intelligence plans
T1835: Determine if intelligence requirements and collection plans are accurate and up-to-date
T1836: Document lessons learned during events and exercises

Knowledge statements

K0018: Knowledge of encryption algorithms
K0480: Knowledge of malware
K0498: Knowledge of operational planning processes
K0644: Knowledge of cybersecurity operation policies and procedures
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0689: Knowledge of network infrastructure principles and practices
K0697: Knowledge of encryption algorithm capabilities and applications
K0698: Knowledge of cryptographic key management principles and practices
K0718: Knowledge of network communications principles and practices
K0719: Knowledge of human-computer interaction (HCI) principles and practices
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0766: Knowledge of data asset management principles and practices
K0773: Knowledge of telecommunications principles and practices
K0784: Knowledge of insider threat laws and regulations
K0785: Knowledge of insider threat tools and techniques
K0786: Knowledge of physical computer components
K0787: Knowledge of computer peripherals
K0792: Knowledge of network configurations
K0799: Knowledge of project management principles and practices
K0800: Knowledge of evidence admissibility laws and regulations
K0806: Knowledge of machine virtualization tools and techniques
K0812: Knowledge of digital communication systems and software
K0815: Knowledge of intelligence collection management processes
K0818: Knowledge of new and emerging cybersecurity risks
K0819: Knowledge of import and export control laws and regulations
K0820: Knowledge of supply chain risks
K0821: Knowledge of federal agency roles and responsibilities
K0825: Knowledge of threat vector characteristics
K0831: Knowledge of network attack vectors
K0834: Knowledge of technology procurement principles and practices
K0857: Knowledge of malware analysis tools and techniques
K0858: Knowledge of virtual machine detection tools and techniques
K0865: Knowledge of data classification standards and best practices
K0866: Knowledge of data classification tools and techniques
K0892: Knowledge of cyber defense laws and regulations
K0899: Knowledge of crisis management protocols
K0900: Knowledge of crisis management processes
K0901: Knowledge of crisis management tools and techniques
K0915: Knowledge of network architecture principles and practices
K0916: Knowledge of malware analysis principles and practices
K0925: Knowledge of wireless communication tools and techniques
K0926: Knowledge of signal jamming tools and techniques
K0934: Knowledge of data classification policies and procedures
K0942: Knowledge of cryptology principles and practices
K0959: Knowledge of operational design principles and practices
K0960: Knowledge of content management system (CMS) capabilities and applications
K0961: Knowledge of planning systems and software
K0964: Knowledge of all-source intelligence reporting policies and procedures
K0968: Knowledge of analytic standards and frameworks Skill in assigning analytical confidence ratings
K0969: Knowledge of cyber-attack tools and techniques
K0976: Knowledge of intelligence collection principles and practices
K0978: Knowledge of intelligence collection planning processes
K0983: Knowledge of computer networking principles and practices
K0984: Knowledge of web security principles and practices
K0985: Knowledge of crisis action plan models and frameworks
K0989: Knowledge of intelligence information repositories
K0990: Knowledge of cyber operations principles and practices
K0993: Knowledge of deconfliction processes
K1005: Knowledge of intelligence collection capabilities and applications
K1007: Knowledge of intelligence requirements tasking systems and software
K1008: Knowledge of intelligence support activities
K1009: Knowledge of threat intelligence principles and practices
K1011: Knowledge of network addressing principles and practices
K1014: Knowledge of network security principles and practices
K1019: Knowledge of operations security (OPSEC) principles and practices
K1020: Knowledge of organization decision support tools and techniques
K1023: Knowledge of network exploitation tools and techniques
K1024: Knowledge of partnership policies and procedures
K1025: Knowledge of decision-making policies and procedures
K1027: Knowledge of post implementation review (PIR) processes
K1028: Knowledge of target development principles and practices
K1029: Knowledge of production exploitation principles and practices
K1030: Knowledge of operational planning tools and techniques
K1035: Knowledge of target research tools and techniques
K1036: Knowledge of target organization structures
K1037: Knowledge of target critical capabilities
K1038: Knowledge of target critical vulnerabilities
K1049: Knowledge of routing protocols
K1050: Knowledge of critical information requirements
K1054: Knowledge of red team functions and capabilities
K1058: Knowledge of intelligence processes
K1059: Knowledge of request for information processes
K1063: Knowledge of operation assessment processes
K1066: Knowledge of threat behaviors
K1067: Knowledge of target behaviors
K1069: Knowledge of virtual machine tools and technologies
K1100: Knowledge of analytical tools and techniques
K1101: Knowledge of analytics
K1109: Knowledge of virtual collaborative workspace tools and techniques
K1187: Knowledge of organizational objectives
K1196: Knowledge of priority intelligence collection requirements

Skill statements

S0186: Skill in applying crisis planning procedures
S0310: Skill in applying analytical standards during intelligence product evaluation
S0385: Skill in communicating complex concepts
S0414: Skill in evaluating laws
S0415: Skill in evaluating regulations
S0416: Skill in evaluating policies
S0430: Skill in collaborating with others
S0431: Skill in applying critical thinking
S0432: Skill in coordinating cybersecurity operations across an organization
S0438: Skill in functioning effectively in a dynamic, fast-paced environment
S0439: Skill in identifying external partners
S0472: Skill in developing virtual machines
S0473: Skill in maintaining virtual machines
S0493: Skill in determining intelligence support requirements
S0494: Skill in performing operational environment analysis
S0497: Skill in developing client organization profiles
S0498: Skill in managing an intelligence collection plan
S0501: Skill in developing crisis action plans
S0505: Skill in performing intrusion data analysis
S0509: Skill in evaluating security products
S0513: Skill in determining intelligence employment requirements
S0514: Skill in preparing operational environments
S0515: Skill in identifying partner capabilities
S0526: Skill in initiating planning activities
S0527: Skill in developing crisis action timelines
S0529: Skill in identifying production exploitation needs
S0535: Skill in performing threat factor analysis
S0537: Skill in designing wireless communications systems
S0540: Skill in identifying network threats
S0579: Skill in preparing reports
S0600: Skill in collecting relevant data from a variety of sources
S0610: Skill in communicating effectively
S0633: Skill in developing position qualification requirements
S0686: Skill in performing risk assessments
S0687: Skill in performing administrative planning activities
S0702: Skill in defining an operational environment
S0704: Skill in performing target analysis
S0709: Skill in developing analytics
S0712: Skill in evaluating data source quality
S0713: Skill in evaluating information quality
S0728: Skill in preparing briefings
S0729: Skill in preparing plans
S0739: Skill in analyzing intelligence products
S0756: Skill in incorporating feedback
S0761: Skill in performing strategic guidance analysis
S0762: Skill in integrating organization objectives
S0763: Skill in assessing cyber operations
S0765: Skill in converting intelligence requirements into intelligence production tasks
S0766: Skill in coordinating product development
S0767: Skill in developing tailored intelligence products
S0768: Skill in allocating resources
S0769: Skill in defining progress indicators
S0770: Skill in defining success indicators
S0771: Skill in creating planning documents
S0772: Skill in maintaining planning documents
S0773: Skill in tracking services
S0778: Skill in evaluating operational environments
S0779: Skill in determining information requirements
S0782: Skill in determining capability estimates
S0783: Skill in creating decision support materials
S0785: Skill in interpreting planning guidance
S0787: Skill in monitoring threat effects to partner capabilities
S0788: Skill in orchestrating planning teams
S0789: Skill in coordinating collection support
S0790: Skill in monitoring status
S0791: Skill in presenting to an audience
S0800: Skill in analyzing organizational patterns and relationships
S0801: Skill in assessing partner operations capabilities
S0811: Skill in managing intelligence collection requirements
S0817: Skill in building internal and external relationships
S0847: Skill in performing all-source intelligence analysis

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)