• Communications Security (COMSEC) Manager

    Work Role ID: OV-MGT-002
    Individual who manages the Communications Security (COMSEC) resources of an organization (CNSSI 4009) or key custodian for a Crypto Key Management System (CKMS).
    Category: Oversee and Govern
    Specialty Area: Cybersecurity Management

Abilities

  • A0162: Ability to recognize the unique aspects of the Communications Security (COMSEC) environment and hierarchy. 
  • A0163: Ability to interpret Communications Security (COMSEC) terminology, guidelines and procedures. 
  • A0164: Ability to identify the roles and responsibilities for appointed Communications Security (COMSEC) personnel. 
  • A0165: Ability to manage Communications Security (COMSEC) material accounting, control and use procedure. 
  • A0166: Ability to identify types of Communications Security (COMSEC) Incidents and how they’re reported 
  • A0167: Ability to recognize the importance of auditing Communications Security (COMSEC) material and accounts. 
  • A0168: Ability to Identify the requirements of In-Process accounting for Communications Security (COMSEC) 
  • A0177: Ability to recognize the unique aspects of the Communications Security (COMSEC) environment and hierarchy.

Knowledge

  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0018: Knowledge of encryption algorithms 
  • K0026: Knowledge of business continuity and disaster recovery continuity of operations plans. 
  • K0038: Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data.
  • K0042: Knowledge of incident response and handling methodologies. 
  • K0090: Knowledge of system life cycle management principles, including software security and usability.
  • K0101: Knowledge of the organization’s enterprise information technology (IT) goals and objectives.
  • K0121: Knowledge of information security program management and project management principles and techniques.
  • K0126: Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) 
  • K0163: Knowledge of critical information technology (IT) procurement requirements.
  • K0267: Knowledge of laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures. 
  • K0285: Knowledge of implementing enterprise key escrow systems to support data-at-rest encryption.
  • K0287: Knowledge of an organization's information classification program and procedures for information compromise. 
  • K0622: Knowledge of controls related to the use, processing, storage, and transmission of data. 

Skills

  • S0027: Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
  • S0059: Skill in using Virtual Private Network (VPN) devices and encryption.
  • S0138: Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).

Tasks

  • T0003: Advise senior management (e.g., Chief Information Officer [CIO]) on risk levels and security posture.
  • T0004: Advise senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, systems, and elements.
  • T0025: Communicate the value of information technology (IT) security throughout all levels of the organization stakeholders.
  • T0044: Collaborate with stakeholders to establish the enterprise continuity of operations program, strategy, and mission assurance.
  • T0089: Ensure that security improvement actions are evaluated, validated, and implemented as required.
  • T0095: Establish overall enterprise information security architecture (EISA) with the organization's overall security strategy.
  • T0099: Evaluate cost/benefit, economic, and risk analysis in decision-making process.
  • T0215: Recognize a possible security violation and take appropriate action to report the incident, as required.
  • T0229: Supervise or manage protective or corrective measures when a cybersecurity incident or vulnerability is discovered.

Capability Indicators

Capability Indicators for Communications Security (COMSEC) Manager
Category Entry Intermediate Advanced
Credentials/Certifications
  • Recommended: N/A
  • Example Types: N/A
  • Example Topics: N/A
  • Recommended: Yes
  • Example Types: N/A
  • Example Topics: Certifications addressing business continuity and disaster recovery, cloud computing security, cryptography, incident management, IT governance, risk management, securing communications, strategic program management, program lifecycle (initiating, planning, executing, controlling, closing), benefits management, and stakeholder management
  • Recommended: Not essential but may be beneficial
  • Example Topics: Certifications addressing security leadership, security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, information security governance, information security program development and management, information security incident management, strategic program management, program lifecycle (initiating, planning, executing, controlling, closing), benefits management, and stakeholder management
Continuous Learning
  • Recommended: N/A
  • Examples: N/A
  • Recommended: Yes
  • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
  • Recommended: Yes
  • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
Education
  • Recommended: No (not an Entry-level Work Role)
  • Example Types: N/A
  • Example Topics: N/A
  • Recommended: Yes
  • Example Types: Bachelor's (certifications addressing national information assurance training standards for senior systems managers may substitute education)
  • Example Topics: N/A
  • Recommended: Yes
  • Example Types: Bachelor's (certifications addressing national information assurance training standards for senior systems managers or chief information security officers may substitute education)
  • Example Topics: N/A
Experiential Learning
  • Recommended: N/A
  • Examples: N/A
  • Recommended: Yes
  • Examples: Supervised on-the-job training as an information assurance technician and/or a beginner or intermediate information professional
  • Recommended: Yes
  • Examples: Supervised on-the-job training as an information assurance manager and/or a beginner or intermediate information professional
Training
  • Recommended: N/A
  • Example Types: N/A
  • Example Topics: N/A
  • Recommended: Yes
  • Example Types: N/A
  • Example Topics: Leadership, information system security management, NIST Risk Management Framework and NIST Cybersecurity Framework
  • Recommended: No
  • Example Types: N/A
  • Example Topics: N/A