Attention: CISA Learning is now available for External Users! The Federal Virtual Training Environment (FedVTE) has been permanently decommissioned and replaced by CISA Learning. Please reference the CISA Learning page for the latest information. Please note: CISA Users should wait to access CISA Learning until the system is ready for internal use in the coming days.

OG-WRL-013

Systems Authorization

Responsible for operating an information system at an acceptable level of risk to organizational operations, organizational assets, individuals, other organizations, and the nation.

Task statements

T0495: Manage Accreditation Packages (e.g., ISO/IEC 15026-2)
T1019: Determine special needs of cyber-physical systems
T1020: Determine the operational and safety impacts of cybersecurity lapses
T1022: Review enterprise information technology (IT) goals and objectives
T1023: Identify critical technology procurement requirements
T1036: Integrate leadership priorities
T1038: Integrate organization objectives in intelligence collection
T1107: Evaluate functional requirements
T1232: Approve accreditation packages
T1305: Determine if authorization and assurance documents identify an acceptable level of risk for software applications, systems, and networks

Knowledge statements

K0640: Knowledge of the organizational cybersecurity workforce
K0644: Knowledge of cybersecurity operation policies and procedures
K0674: Knowledge of computer networking protocols
K0675: Knowledge of risk management processes
K0676: Knowledge of cybersecurity laws and regulations
K0677: Knowledge of cybersecurity policies and procedures
K0678: Knowledge of privacy laws and regulations
K0679: Knowledge of privacy policies and procedures
K0680: Knowledge of cybersecurity principles and practices
K0681: Knowledge of privacy principles and practices
K0682: Knowledge of cybersecurity threats
K0683: Knowledge of cybersecurity vulnerabilities
K0684: Knowledge of cybersecurity threat characteristics
K0685: Knowledge of access control principles and practices
K0686: Knowledge of authentication and authorization tools and techniques
K0691: Knowledge of cyber defense tools and techniques
K0692: Knowledge of vulnerability assessment tools and techniques
K0698: Knowledge of cryptographic key management principles and practices
K0710: Knowledge of enterprise cybersecurity architecture principles and practices
K0711: Knowledge of evaluation and validation principles and practices
K0720: Knowledge of Security Assessment and Authorization (SA&A) processes
K0721: Knowledge of risk management principles and practices
K0723: Knowledge of vulnerability data sources
K0728: Knowledge of Confidentiality, Integrity and Availability (CIA) principles and practices
K0729: Knowledge of non-repudiation principles and practices
K0730: Knowledge of cyber safety principles and practices
K0734: Knowledge of Risk Management Framework (RMF) requirements
K0735: Knowledge of risk management models and frameworks
K0736: Knowledge of information technology (IT) security principles and practices
K0743: Knowledge of new and emerging technologies
K0746: Knowledge of policy-based access controls
K0747: Knowledge of Risk Adaptive (Adaptable) Access Controls (RAdAC)
K0751: Knowledge of system threats
K0752: Knowledge of system vulnerabilities
K0760: Knowledge of server diagnostic tools and techniques
K0761: Knowledge of Fault Detection and Diagnostics (FDD) tools and techniques
K0767: Knowledge of structured analysis principles and practices
K0778: Knowledge of enterprise information technology (IT) architecture principles and practices
K0784: Knowledge of insider threat laws and regulations
K0785: Knowledge of insider threat tools and techniques
K0791: Knowledge of defense-in-depth principles and practices
K0800: Knowledge of evidence admissibility laws and regulations
K0803: Knowledge of supply chain risk management principles and practices
K0819: Knowledge of import and export control laws and regulations
K0820: Knowledge of supply chain risks
K0821: Knowledge of federal agency roles and responsibilities
K0828: Knowledge of supply chain risk management standards and best practices
K0834: Knowledge of technology procurement principles and practices
K0838: Knowledge of supply chain risk management policies and procedures
K0839: Knowledge of critical infrastructure systems and software
K0859: Knowledge of encryption tools and techniques
K0870: Knowledge of enterprise architecture (EA) reference models and frameworks
K0871: Knowledge of enterprise architecture (EA) principles and practices
K0877: Knowledge of application firewall principles and practices
K0878: Knowledge of network firewall principles and practices
K0879: Knowledge of industry cybersecurity models and frameworks
K0880: Knowledge of access control models and frameworks
K0892: Knowledge of cyber defense laws and regulations
K0915: Knowledge of network architecture principles and practices
K0917: Knowledge of Personally Identifiable Information (PII) data security standards and best practices
K0918: Knowledge of Payment Card Industry (PCI) data security standards and best practices
K0919: Knowledge of Personal Health Information (PHI) data security standards and best practices
K0942: Knowledge of cryptology principles and practices
K0948: Knowledge of embedded systems and software
K0955: Knowledge of penetration testing principles and practices
K0956: Knowledge of penetration testing tools and techniques
K0962: Knowledge of targeting laws and regulations
K0963: Knowledge of exploitation laws and regulations
K0983: Knowledge of computer networking principles and practices
K0990: Knowledge of cyber operations principles and practices
K1014: Knowledge of network security principles and practices
K1050: Knowledge of critical information requirements
K1077: Knowledge of data security controls
K1079: Knowledge of web application security risks
K1084: Knowledge of data privacy controls

Skill statements

S0396: Skill in forecasting requirements
S0397: Skill in assessing requirements
S0398: Skill in analyzing organizational objectives
S0406: Skill in developing policy plans
S0414: Skill in evaluating laws
S0415: Skill in evaluating regulations
S0416: Skill in evaluating policies
S0430: Skill in collaborating with others
S0432: Skill in coordinating cybersecurity operations across an organization
S0439: Skill in identifying external partners
S0447: Skill in aligning privacy and cybersecurity objectives
S0465: Skill in identifying critical infrastructure systems
S0466: Skill in identifying systems designed without security considerations
S0497: Skill in developing client organization profiles
S0515: Skill in identifying partner capabilities
S0686: Skill in performing risk assessments
S0801: Skill in assessing partner operations capabilities
S0807: Skill in solving problems

Source: Workforce Framework for Cybersecurity (NICE Framework) (NIST SP 800-181 Rev 1) (Version: 1.0.0)