• A0033: Ability to develop policy, plans, and strategy in compliance with laws, regulations, policies, and standards in support of organizational cyber activities.
  • A0070: Ability to apply critical reading/thinking skills.
  • A0085: Ability to exercise judgment when policies are not well-defined.
  • A0094: Ability to interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.
  • A0105: Ability to tailor technical and planning information to a customer’s level of understanding.
  • A0106: Ability to think critically.
  • A0116: Ability to prioritize and allocate cybersecurity resources correctly and efficiently.
  • A0117: Ability to relate strategy, business, and technology in the context of organizational dynamics.
  • A0118: Ability to understand technology, management, and leadership issues related to organization processes and problem solving.
  • A0119: Ability to understand the basic concepts and issues related to cyber and its organizational impact.
  • A0129: Ability to ensure information security management processes are integrated with strategic and operational planning processes. 
  • A0130: Ability to ensure that senior officials within the organization provide information security for the information and systems that support the operations and assets under their control. 


  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0009: Knowledge of application vulnerabilities. 
  • K0070: Knowledge of system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • K0106: Knowledge of what constitutes a network attack and a network attack’s relationship to both threats and vulnerabilities. 
  • K0147: Knowledge of emerging security issues, risks, and vulnerabilities.
  • K0296: Knowledge of capabilities, applications, and potential vulnerabilities of network equipment including hubs, routers, switches, bridges, servers, transmission media, and related hardware.
  • K0314: Knowledge of industry technologies’ potential cybersecurity vulnerabilities. 
  • K0624: Knowledge of Application Security Risks (e.g. Open Web Application Security Project Top 10 list) 
  • K0628: Knowledge of cyber competitions as a way of developing skills by providing hands-on experience in simulated, real-world situations. 


  • S0018: Skill in creating policies that reflect system security objectives.
  • S0356: Skill in communicating with all levels of management including Board members (e.g., interpersonal skills, approachability, effective listening skills, appropriate use of style and language for the audience).
  • S0357: Skill to anticipate new security threats.
  • S0358: Skill to remain aware of evolving technical infrastructures.
  • S0359: Skill to use critical thinking to analyze organizational patterns and relationships.


  • T0001: Acquire and manage the necessary resources, including leadership support, financial resources, and key security personnel, to support information technology (IT) security goals and objectives and reduce overall organizational risk.
  • T0002: Acquire necessary resources, including financial resources, to conduct an effective enterprise continuity of operations program.
  • T0004: Advise senior management (e.g., CIO) on cost/benefit analysis of information security programs, policies, processes, systems, and elements.
  • T0006: Advocate organization's official position in legal and legislative proceedings.
  • T0025: Communicate the value of information technology (IT) security throughout all levels of the organization stakeholders.
  • T0066: Develop and maintain strategic plans.
  • T0130: Interface with external organizations (e.g., public affairs, law enforcement, Command or Component Inspector General) to ensure appropriate and accurate dissemination of incident and other Computer Network Defense information.
  • T0134: Lead and align information technology (IT) security priorities with the security strategy.
  • T0135: Lead and oversee information security budget, staffing, and contracting.
  • T0148: Manage the publishing of Computer Network Defense guidance (e.g., TCNOs, Concept of Operations, Net Analyst Reports, NTSM, MTOs) for the enterprise constituency.
  • T0151: Monitor and evaluate the effectiveness of the enterprise's cybersecurity safeguards to ensure that they provide the intended level of protection.
  • T0227: Recommend policy and coordinate review and approval.
  • T0229: Supervise or manage protective or corrective measures when a cybersecurity incident or vulnerability is discovered.
  • T0248: Promote awareness of security issues among management and ensure sound security principles are reflected in the organization's vision and goals.
  • T0254: Oversee policy standards and implementation strategies to ensure procedures and guidelines comply with cybersecurity policies.
  • T0263: Identify security requirements specific to an information technology (IT) system in all phases of the system life cycle.
  • T0264: Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc.
  • T0282: Define and/or implement policies and procedures to ensure protection of critical infrastructure as appropriate.
  • T0337: Supervise and assign work to programmers, designers, technologists and technicians, and other engineering and scientific personnel.
  • T0356: Coordinate with organizational manpower stakeholders to ensure appropriate allocation and distribution of human capital assets.
  • T0429: Assess policy needs and collaborate with stakeholders to develop policies to govern cyber activities.
  • T0445: Design/integrate a cyber strategy that outlines the vision, mission, and goals that align with the organization's strategic plan.
  • T0509: Perform an information security risk assessment.
  • T0763: Conduct long-range, strategic planning efforts with internal and external partners in cyber activities.
  • T0871: Collaborate on cyber privacy and security policies and procedures
  • T0872: Collaborate with cybersecurity personnel on the security risk assessment process to address privacy compliance and risk mitigation
  • T0927: Appoint and guide a team of IT security experts
  • T0928: Collaborate with key stakeholders to establish a cybersecurity risk management program

Capability Indicators

Capability Indicators for Executive Cyber Leadership
Category Entry Intermediate Advanced
  • Recommended: Yes
  • Example Types: N/A
  • Example Topics: Certifications addressing security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, information security governance, security program development and management, incident management, cybersecurity leadership, system security, network infrastructure, access control, cryptography, assessments and audits, organizational security, managing, maintaining, troubleshooting, installing, network infrastructure, mobile device integration, hardware evaluation, operating systems, technical support, information systems security, system certification, risk analysis
  • Recommended: Yes
  • Example Types: N/A
  • Example Topics: Certifications addressing risk management, categorization of information systems, selection of security controls, security control implementation and assessment, information system authorization, monitoring of security controls
  • Recommended: Yes
  • Example Topics: Certifications addressing security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, information security governance, information risk management, information, incident management
Continuous Learning
  • Recommended: Yes
  • Examples: 20 hours annually (may include learning how to lead change, rotations, self-awareness training, contributing to information security publications, webinars, internal organization-specific leadership training, seminars)
  • Recommended: Yes
  • Examples: 40 hours annually (may include experience building culture, interagency joint duties, work rotations, detail(s), publishing articles, maintain credentials)
  • Recommended: Yes
  • Examples: 40-80 hours annually (may include continued education, attending and presenting new ideas at conferences [i.e., thought leadership])
  • Recommended: Not essential but may be beneficial
  • Example Types: Associate's, Bachelor's
  • Example Topics: Business, public administration, applied science, computer information systems, applied software, IT-related field
  • Recommended: Yes
  • Example Types: Bachelor's (certifications addressing information systems security, advanced systems management, systems certification, systems administration, governance, security risk management, controls, and audit management, information security core concepts [access control, social engineering, phishing attacks, identity theft], strategic planning, finance, and vendor management may substitute education)
  • Example Topics: Computer science, computer information systems, business administration, information assurance, informatics
  • Recommended: Yes
  • Example Types: Master's, Ph.D. (certifications addressing information systems security, advanced systems management, systems administration, system certification, and risk analysis may substitute education)
  • Example Topics: Computer science, computer information systems, business administration, information assurance, informatics
Experiential Learning
  • Recommended: Not essential but may be beneficial
  • Examples: 4-7 years of experience in a significant security role, operational management experience in general IT disciplines (e.g., network technician, service desk support, desktop support, entry level software development, tier 1 security operations center work/triage), experience in physical security
  • Recommended: Not essential but may be beneficial
  • Examples: 7-10 years operational management experience involving penetration testing, security assessments, T2/T3 security operations, security, network operations, fundamental operations, privacy assessments, privacy testing, contracting, managing and changing business processes, aligning strategy and performance metrics to organizational mission, contracting office representative, physical security operations and training, prior rotations
  • Recommended: Not essential but may be beneficial
  • Examples: 10-15+ years high-level organizational and business strategy (e.g., staffing and planning, budget formulation, long-term risk management and risk outlay planning), IT strategic planning and understanding risk, experience with classified or highly sensitive environments (background investigations, high security), developing people (leading and organizing, leading change management)
  • Recommended: Yes
  • Example Types: N/A
  • Example Topics: Risk management, budgeting, acquisition and contracting, vendor training
  • Recommended: Yes
  • Example Types: N/A
  • Example Topics: Operational training (e.g., scaled scope penetration test, rule sets between firewall and intrusion detection system)—integration and operation, network security vulnerability
  • Recommended: Yes
  • Example Types: N/A
  • Example Topics: Executive core qualifications (leading change, leading people, business acumen, building coalitions), managerial and operational workforce needs, conveying risk to stakeholders, technical, organizational behavior and change, risk management training, executive training, information system security manager