Authorizing Official/Designating Representative

Authorizing Official/Designating Representative
Work Role ID: SP-RSK-001
Senior official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation (CNSSI 4009).
Category: Securely Provision
Specialty Area: Risk Management

Abilities

A0028: Ability to assess and forecast manpower requirements to meet organizational objectives.
A0033: Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
A0077: Ability to coordinate cyber operations with other organization functions or support activities.
A0090: Ability to identify external partners with common cyber operations interests.
A0094: Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.
A0111: Ability to work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.
A0117: Ability to relate strategy, business, and technology in the context of organizational dynamics.
A0118: Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
A0119: Ability to understand the basic concepts and issues related to cyber and its organizational impact.
A0123: Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
A0170: Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.

Knowledge

K0001: Knowledge of computer networking concepts and protocols, and network security methodologies.
K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
K0004: Knowledge of cybersecurity and privacy principles.
K0005: Knowledge of cyber threats and vulnerabilities.
K0006: Knowledge of specific operational impacts of cybersecurity lapses.
K0013: Knowledge of cyber defense and vulnerability assessment tools and their capabilities.
K0019: Knowledge of cryptography and cryptographic key management concepts
K0027: Knowledge of organization's enterprise information security architecture.
K0028: Knowledge of organization's evaluation and validation requirements.
K0037: Knowledge of Security Assessment and Authorization process.
K0038: Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data.
K0040: Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins).
K0044: Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
K0048: Knowledge of Risk Management Framework (RMF) requirements.
K0049: Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
K0054: Knowledge of current industry methods for evaluating, implementing, and disseminating information technology (IT) security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
K0059: Knowledge of new and emerging information technology (IT) and cybersecurity technologies.
K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
K0084: Knowledge of structured analysis principles and methods.
K0089: Knowledge of systems diagnostic tools and fault identification techniques.
K0101: Knowledge of the organization’s enterprise information technology (IT) goals and objectives.
K0126: Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161)
K0146: Knowledge of the organization's core business/mission processes.
K0168: Knowledge of applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
K0169: Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures.
K0170: Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations.
K0179: Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
K0199: Knowledge of security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]).
K0203: Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
K0260: Knowledge of Personally Identifiable Information (PII) data security standards.
K0261: Knowledge of Payment Card Industry (PCI) data security standards.
K0262: Knowledge of Personal Health Information (PHI) data security standards.
K0267: Knowledge of laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures.
K0295: Knowledge of confidentiality, integrity, and availability principles.
K0322: Knowledge of embedded systems.
K0342: Knowledge of penetration testing principles, tools, and techniques.
K0622: Knowledge of controls related to the use, processing, storage, and transmission of data.
K0624: Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list)

Skills

S0034: Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
S0367: Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).

Tasks

T0145: Manage and approve Accreditation Packages (e.g., ISO/IEC 15026-2).
T0221: Review authorization and assurance documents to confirm that the level of risk is within acceptable limits for each software application, system, and network.
T0371: Establish acceptable limits for the software application, network, or system.
T0495: Manage Accreditation Packages (e.g., ISO/IEC 15026-2).

Capability Indicators

Capability Indicators for Authorizing Official/Designating Representative
Category	Entry	Intermediate	Advanced
Credentials/Certifications	Recommended: Yes Example Types: N/A Example Topics: Certifications that address managing, maintaining, troubleshooting, installing, and configuring basic network infrastructure, as well as system security, access control, cryptography, assessments/audits, organizational security, authentication, security testing, intrusion detection/prevention, incident response and recovery, cryptography, malicious code countermeasures, mobile devices, hardware evaluation, and operating systems	Recommended: Yes Example Types: N/A Example Topics: Certifications that address FedRAMP, risk management, categorization of information systems, selection of security controls, security control implementation/ assessment, authorization, risk identification/ assessment/evaluation, risk response/ monitoring, reducing production costs, application vulnerabilities and delivery delays, secure software concepts, requirements, design, implementation/coding, testing, software acceptance, software deployment, operations, maintenance, disposal, network types/media, Transmission Control Protocol/Internet Protocol (TCP/IP), IP addressing/routing, and WAN technologies	Recommended: Not essential but may be beneficial Example Topics: Certifications that address advanced security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, categorization of information systems, selection of security controls, security control implementation, security control assessment, information system authorization, information security governance, information security program development and management, and information security incident management
Continuous Learning	Recommended: Yes Examples: 40 hours annually (may include shadowing, attending conferences, rotations, professional memberships)	Recommended: Yes Examples: 40 hours annually (may include formal training, conferences, rotations, developing publications)	Recommended: Yes Examples: 40 hours annually (may include conference speaking, rotations, publications, providing mentoring, and development of new ideas/methods)
Education	Recommended: Yes Example Types: Bachelor's (certifications addressing information assurance, critical infrastructure protection, enterprise information security, and risk management may substitute education) Example Topics: N/A	Recommended: Yes Example Types: Bachelor's, Master's/M.B.A. Example Topics: Information assurance or risk management (certifications addressing Approval to Operate [ATO] processes, cybersecurity law, critical infrastructure protection, and continuity of operations [COOP] may substitute education)	Recommended: Yes Example Types: Master's, Ph.D. Example Topics: Information assurance or risk management (certifications addressing ATO processes, cybersecurity law, critical infrastructure protection, and COOP may substitute education)
Experiential Learning	Recommended: Yes Examples: Service desk, network technology, systems administration, and supervised on-the-job training in information assurance	Recommended: Yes Examples: Federal Information Security Management Act (FISMA) assessment, penetration testing, contingency testing, incident response testing, risk management, business impact analyses, supervised on-the-job training in information assurance	Recommended: Yes Examples: Prior experience as an ISSO, CSO, CISO, CIO, CRO, and/or Privacy Official could indicate proficiency
Training	Recommended: Yes Example Types: N/A Example Topics: Systems administration and internal, organization-specific certifying officer training	Recommended: Yes Example Types: N/A Example Topics: Network security and vulnerabilities, information systems security management, and advanced network analysis	Recommended: Yes Example Types: N/A Example Topics: Advanced information systems security management

The NICE Framework data presented on these pages was last updated by NIST on July 7, 2020 and will be updated when the official Revision 1 data is released.