Attention: CISA Learning is now available for External Users! The Federal Virtual Training Environment (FedVTE) has been permanently decommissioned and replaced by CISA Learning. Please reference the CISA Learning page for the latest information. Please note: CISA Users should wait to access CISA Learning until the system is ready for internal use in the coming days.

OG-WRL-002

Cybersecurity Policy and Planning

Responsible for developing and maintaining cybersecurity plans, strategy, and policy to support and align with organizational cybersecurity initiatives and regulatory compliance.

Task statements

T0226: Serve on agency and interagency policy boards
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1028: Research new vulnerabilities in emerging technologies
T1107: Evaluate functional requirements
T1158: Develop cybersecurity implementation policies and guidelines
T1184: Establish stakeholder communication channels
T1185: Maintain stakeholder communication channels
T1306: Conduct technology program and project audits
T1335: Promote cybersecurity awareness to management
T1336: Verify the inclusion of sound cybersecurity principles in the organization's vision and goals
T1357: Determine if cybersecurity requirements have been successfully implemented
T1358: Determine the effectiveness of organizational cybersecurity policies and procedures
T1394: Develop independent cybersecurity audit processes for application software, networks, and systems
T1395: Implement independent cybersecurity audit processes for application software, networks, and systems
T1396: Oversee independent cybersecurity audits
T1397: Determine if research and design processes and procedures are in compliance with cybersecurity requirements
T1398: Determine if research and design processes and procedures are accurately followed by cybersecurity staff when performing their day-to-day activities
T1436: Acquire adequate funding for cybersecurity training
T1464: Determine if cybersecurity workforce management policies and procedures comply with legal and organizational requirements
T1476: Promote awareness of cybersecurity policy and strategy among management
T1482: Conduct cybersecurity workforce assessments
T1492: Integrate laws and regulations into policy
T1518: Develop organizational cybersecurity strategy
T1543: Develop cybersecurity policies and procedures
T1605: Advise management, staff, and users on cybersecurity policy

Knowledge statements

K0644: Knowledge of cybersecurity operation policies and procedures
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0691: Knowledge of cyber defense tools and techniques
K0692: Knowledge of vulnerability assessment tools and techniques
K0743: Knowledge of new and emerging technologies
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0773: Knowledge of telecommunications principles and practices
K0812: Knowledge of digital communication systems and software
K0892: Knowledge of cyber defense laws and regulations
K0943: Knowledge of industry indicators
K0962: Knowledge of targeting laws and regulations
K0963: Knowledge of exploitation laws and regulations
K0969: Knowledge of cyber-attack tools and techniques
K0983: Knowledge of computer networking principles and practices
K0990: Knowledge of cyber operations principles and practices
K1014: Knowledge of network security principles and practices
K1023: Knowledge of network exploitation tools and techniques
K1079: Knowledge of web application security risks
K1137: Knowledge of cybersecurity requirements
K1180: Knowledge of organizational cybersecurity goals and objectives
K1183: Knowledge of organizational cybersecurity policies and procedures
K1186: Knowledge of organizational human resource (HR) policies and procedures
K1206: Knowledge of research and design processes and procedures

Skill statements

S0406: Skill in developing policy plans
S0497: Skill in developing client organization profiles
S0515: Skill in identifying partner capabilities
S0519: Skill in detecting exploitation activities
S0687: Skill in performing administrative planning activities
S0712: Skill in evaluating data source quality
S0713: Skill in evaluating information quality
S0729: Skill in preparing plans
S0821: Skill in collaborating with internal and external stakeholders

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)