DD-WRL-004

Secure Systems Development

Responsible for the secure design, development, and testing of systems and the evaluation of system security throughout the systems development life cycle.

Task statements

T0067: Develop architectures or system components consistent with technical specifications
T0084: Employ secure configuration management processes
T0122: Implement security designs for new or existing systems
T0124: Incorporate cybersecurity vulnerability solutions into system designs (e.g., Cybersecurity Vulnerability Alerts)
T0271: Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information)
T1010: Communicate enterprise information technology architecture
T1019: Determine special needs of cyber-physical systems
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1022: Review enterprise information technology (IT) goals and objectives
T1026: Determine procurement requirements
T1027: Integrate organizational goals and objectives into security architecture
T1030: Estimate the impact of collateral damage
T1041: Determine impact of software configurations
T1046: Assess operation performance
T1047: Assess operation impact
T1072: Determine life cycle support requirements
T1075: Implement application cybersecurity policies
T1078: Determine effectiveness of system cybersecurity measures
T1079: Develop cybersecurity risk profiles
T1081: Create product prototypes using working and theoretical models
T1084: Identify anomalous network activity
T1096: Perform privacy impact assessments (PIAs)
T1118: Identify vulnerabilities
T1119: Recommend vulnerability remediation strategies
T1122: Determine essential system capabilities and business functions
T1123: Prioritize essential system capabilities and business functions
T1124: Restore essential system capabilities and business functions after catastrophic failure events
T1128: Design cybersecurity or cybersecurity-enabled products
T1129: Develop cybersecurity or cybersecurity-enabled products
T1131: Determine if hardware, operating systems, and software applications adequately address cybersecurity requirements
T1132: Design system data backup capabilities
T1133: Develop technical and procedural processes for integrity of stored backup data
T1134: Develop technical and procedural processes for backup data storage
T1138: Create system testing and validation procedures and documentation
T1148: Develop systems security design documentation
T1149: Develop disaster recovery and continuity of operations plans for systems under development
T1150: Test disaster recovery and continuity of operations plans for systems prior to deployment
T1160: Develop risk mitigation strategies
T1161: Resolve system vulnerabilities
T1162: Recommend security changes to systems and system components
T1163: Develop cybersecurity countermeasures for systems and applications
T1164: Develop risk mitigation strategies for systems and applications
T1193: Allocate security functions to components and elements
T1194: Remediate technical problems encountered during system testing and implementation
T1195: Direct the remediation of technical problems encountered during system testing and implementation
T1206: Recommend cybersecurity or cybersecurity-enabled products for use within a system
T1269: Conduct risk analysis of applications and systems undergoing major changes
T1292: Develop guidelines for implementing developed systems for customers and installation teams
T1294: Advise on Risk Management Framework process activities and documentation
T1309: Analyze system capabilities and requirements
T1312: Conduct test and evaluation activities
T1326: Develop system performance predictions for various operating conditions
T1363: Plan system security development
T1364: Conduct system security development
T1365: Document cybersecurity design and development activities
T1401: Integrate system development life cycle methodologies into development environment
T1454: Design secure interfaces between information systems, physical systems, and embedded technologies
T1455: Implement secure interfaces between information systems, physical systems, and embedded technologies
T1489: Correlate incident data
T1507: Determine user requirements
T1508: Plan cybersecurity architecture
T1519: Design system security measures
T1520: Update system security measures
T1522: Determine if systems meet minimum security requirements
T1563: Implement system security measures
T1583: Determine effectiveness of system implementation and testing processes
T1584: Establish minimum security requirements for applications
T1585: Determine if applications meet minimum security requirements
T1586: Conduct cybersecurity risk assessments
T1592: Conduct cybersecurity reviews
T1593: Identify cybersecurity gaps in enterprise architecture
T1604: Provide cybersecurity advice on implementation plans, standard operating procedures, maintenance documentation, and maintenance training materials
T1613: Determine if design components meet system requirements
T1614: Determine scalability of system architecture

Knowledge statements

K0018: Knowledge of encryption algorithms
K0055: Knowledge of microprocessors
K0068: Knowledge of programming language structures and logic
K0653: Knowledge of cybersecurity practices in the acquisition process
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0685: Knowledge of access control principles and practices
K0686: Knowledge of authentication and authorization tools and techniques
K0694: Knowledge of computer algorithm capabilities and applications
K0698: Knowledge of cryptographic key management principles and practices
K0707: Knowledge of database systems and software
K0710: Knowledge of enterprise cybersecurity architecture principles and practices
K0711: Knowledge of evaluation and validation principles and practices
K0712: Knowledge of Local Area Networks (LAN)
K0713: Knowledge of Wide Area Networks (WAN)
K0714: Knowledge of electrical engineering principles and practices
K0715: Knowledge of resiliency and redundancy principles and practices
K0716: Knowledge of host access control (HAC) systems and software
K0717: Knowledge of network access control (NAC) systems and software
K0719: Knowledge of human-computer interaction (HCI) principles and practices
K0721: Knowledge of risk management principles and practices
K0722: Knowledge of software development principles and practices
K0728: Knowledge of Confidentiality, Integrity and Availability (CIA) principles and practices
K0729: Knowledge of non-repudiation principles and practices
K0730: Knowledge of cyber safety principles and practices
K0731: Knowledge of systems security engineering (SSE) principles and practices
K0736: Knowledge of information technology (IT) security principles and practices
K0737: Knowledge of bandwidth management tools and techniques
K0739: Knowledge of mathematics principles and practices
K0742: Knowledge of identity and access management (IAM) principles and practices
K0744: Knowledge of operating system (OS) systems and software
K0745: Knowledge of parallel and distributed computing principles and practices
K0746: Knowledge of policy-based access controls
K0747: Knowledge of Risk Adaptive (Adaptable) Access Controls (RAdAC)
K0748: Knowledge of Privacy Impact Assessment (PIA) principles and practices
K0749: Knowledge of process engineering principles and practices
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0755: Knowledge of configuration management (CM) tools and techniques
K0756: Knowledge of security management principles and practices
K0757: Knowledge of system design tools and techniques
K0758: Knowledge of server administration principles and practices
K0759: Knowledge of client and server architecture
K0764: Knowledge of software development models and frameworks
K0765: Knowledge of software engineering principles and practices
K0767: Knowledge of structured analysis principles and practices
K0768: Knowledge of automated systems analysis tools and techniques
K0769: Knowledge of system design standards and best practices
K0771: Knowledge of system life cycle management principles and practices
K0772: Knowledge of systems testing and evaluation tools and techniques
K0773: Knowledge of telecommunications principles and practices
K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
K0779: Knowledge of systems engineering processes
K0791: Knowledge of defense-in-depth principles and practices
K0803: Knowledge of supply chain risk management principles and practices
K0813: Knowledge of interpreted and compiled programming language characteristics
K0814: Knowledge of secure coding tools and techniques
K0820: Knowledge of supply chain risks
K0828: Knowledge of supply chain risk management standards and best practices
K0838: Knowledge of supply chain risk management policies and procedures
K0839: Knowledge of critical infrastructure systems and software
K0840: Knowledge of hardware reverse engineering tools and techniques
K0842: Knowledge of software reverse engineering tools and techniques
K0846: Knowledge of secure software deployment principles and practices
K0847: Knowledge of secure software deployment tools and techniques
K0848: Knowledge of network systems management principles and practices
K0849: Knowledge of network systems management tools and techniques
K0851: Knowledge of reverse engineering principles and practices
K0859: Knowledge of encryption tools and techniques
K0865: Knowledge of data classification standards and best practices
K0866: Knowledge of data classification tools and techniques
K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
K0871: Knowledge of enterprise architecture (EA) principles and practices
K0872: Knowledge of service management principles and practices
K0873: Knowledge of service management standards and best practices
K0877: Knowledge of application firewall principles and practices
K0878: Knowledge of network firewall principles and practices
K0879: Knowledge of industry cybersecurity models and frameworks
K0880: Knowledge of access control models and frameworks
K0891: Knowledge of the Open Systems Interconnect (OSI) reference model
K0915: Knowledge of network architecture principles and practices
K0917: Knowledge of Personally Identifiable Information (PII) data security standards and best practices
K0918: Knowledge of Payment Card Industry (PCI) data security standards and best practices
K0919: Knowledge of Personal Health Information (PHI) data security standards and best practices
K0922: Knowledge of the acquisition life cycle models and frameworks
K0928: Knowledge of systems engineering principles and practices
K0934: Knowledge of data classification policies and procedures
K0937: Knowledge of countermeasure design principles and practices
K0942: Knowledge of cryptology principles and practices
K0947: Knowledge of computer engineering principles and practices
K0948: Knowledge of embedded systems and software
K0952: Knowledge of information theory principles and practices
K0983: Knowledge of computer networking principles and practices
K1014: Knowledge of network security principles and practices
K1063: Knowledge of operation assessment processes
K1080: Knowledge of secure software update principles and practices
K1081: Knowledge of secure firmware update principles and practices
K1088: Knowledge of knowledge management tools and techniques
K1100: Knowledge of analytical tools and techniques
K1111: Knowledge of application security design principles and practices
K1119: Knowledge of component and interface specifications
K1120: Knowledge of Confidentiality, Integrity, Availability, Authenticity, and Non-repudiation (CIAAN) principles and practices
K1148: Knowledge of data manipulation principles and practices
K1149: Knowledge of data retrieval principles and practices
K1150: Knowledge of data storage principles and practices
K1158: Knowledge of evaluation and validation requirements
K1164: Knowledge of hardware design principles and practices
K1194: Knowledge of Personally Identifiable Information (PII) attributes
K1212: Knowledge of security controls
K1235: Knowledge of user needs and requirements

Skill statements

S0097: Skill in applying security controls
S0136: Skill in network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools
S0141: Skill in assessing security systems designs
S0172: Skill in applying secure coding techniques
S0383: Skill in analyzing an organization's enterprise information technology architecture
S0385: Skill in communicating complex concepts
S0391: Skill in creating technical documentation
S0409: Skill in deriving evaluative conclusions from data
S0418: Skill in applying secure network architectures
S0419: Skill in designing systems
S0423: Skill in analyzing processes to ensure conformance with procedural requirements
S0428: Skill in designing architectures
S0429: Skill in designing frameworks
S0430: Skill in collaborating with others
S0462: Skill in integrating information security requirements in the acquisitions process
S0463: Skill in implementing software quality control processes
S0465: Skill in identifying critical infrastructure systems
S0466: Skill in identifying systems designed without security considerations
S0532: Skill in analyzing software configurations
S0543: Skill in scanning for vulnerabilities
S0544: Skill in recognizing vulnerabilities
S0569: Skill in designing security controls
S0570: Skill in designing the integration of hardware solutions
S0571: Skill in designing the integration of software solutions
S0574: Skill in developing security system controls
S0578: Skill in evaluating security designs
S0619: Skill in auditing technical systems
S0655: Skill in designing secure test plans
S0664: Skill in applying policies that meet system security objectives
S0674: Skill in installing system and component upgrades
S0675: Skill in optimizing system performance
S0681: Skill in performing design modeling
S0686: Skill in performing risk assessments
S0744: Skill in performing technical writing
S0788: Skill in orchestrating planning teams
S0789: Skill in coordinating collection support
S0790: Skill in monitoring status
S0824: Skill in communicating with customers
S0861: Skill in performing gap analysis
S0878: Skill in performing risk analysis
S0893: Skill in performing user needs analysis
S0899: Skill in testing interfaces

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)