IT Investment/Portfolio Manager

IT Investment/Portfolio Manager
Work Role ID: OV-PMA-004
Manages a portfolio of IT investments that align with the overall needs of mission and enterprise priorities.
Category: Oversee and Govern
Specialty Area: Program/Project Management and Acquisition

Abilities

A0039: Ability to oversee the development and update of the life cycle cost estimate.

Knowledge

K0001: Knowledge of computer networking concepts and protocols, and network security methodologies.
K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
K0004: Knowledge of cybersecurity and privacy principles.
K0005: Knowledge of cyber threats and vulnerabilities.
K0006: Knowledge of specific operational impacts of cybersecurity lapses.
K0048: Knowledge of Risk Management Framework (RMF) requirements.
K0072: Knowledge of resource management principles and techniques.
K0120: Knowledge of how information needs and collection requirements are translated, tracked, and prioritized across the extended enterprise.
K0126: Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161)
K0146: Knowledge of the organization's core business/mission processes.
K0154: Knowledge of supply chain risk management standards, processes, and practices.
K0165: Knowledge of risk threat assessment.
K0169: Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures.
K0235: Knowledge of how to leverage research and development centers, think tanks, academic research, and industry systems.
K0257: Knowledge of information technology (IT) acquisition/procurement requirements.
K0270: Knowledge of the acquisition/procurement life cycle process.

Skills

S0372: Skill to translate, track, and prioritize information needs and intelligence collection requirements across the extended enterprise.

Tasks

T0220: Resolve conflicts in laws, regulations, policies, standards, or procedures.
T0223: Review or conduct audits of information technology (IT) programs and projects.
T0277: Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
T0302: Develop contract language to ensure supply chain, system, network, and operational security are met.
T0377: Gather feedback on customer satisfaction and internal service performance to foster continual improvement.
T0415: Ensure that supply chain, system, network, performance, and cybersecurity requirements are included in contract language and delivered.
T0493: Lead and oversee budget, staffing, and contracting.
T0551: Draft and publish supply chain security and risk management documents.

Capability Indicators

Capability Indicators for IT Investment/Portfolio Manager
Category	Entry	Intermediate	Advanced
Credentials/Certifications	Recommended: Not essential but may be beneficial Example Types: N/A Example Topics: Certifications addressing network infrastructure, mobile device integration, hardware evaluation, operating systems, technical support, system security, access control, cryptography, assessments and audits, organizational security, security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security	Recommended: Not essential but may be beneficial Example Types: N/A Example Topics: Certifications addressing network types, network media, switching fundamentals, TCP/IP, IP addressing and routing, WAN technologies, operating and configuring IOS devices, managing network environments, system security, network infrastructure, access control, cryptography, assessments and audits, organizational security, risk management, categorization of information systems, selection of security controls, security control implementation and assessment, information system authorization, monitoring of security controls, strategic program management, program lifecycle (initiating, planning, executing, controlling, and closing), benefits management, stakeholder management, and governance	Recommended: Not essential but may be beneficial Example Topics: Certifications addressing security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, information security governance, information risk management, security program development and management, information security incident management, change management and incident handling for managers, common attacks and malware, managing (access control, defense in depth and security policy, disaster recovery and contingency planning, employees and total cost of ownership, operational security, physical security and facility safety, privacy and web security, risk and ethics, security awareness and protecting intellectual property, the network infrastructure, quality and growth of the security organization, the use of cryptography, vulnerabilities, wireless security), network and endpoint security technologies, network protocols for managers, project management and business situational awareness, selling and managing the mission, enterprise security, risk management and incident response, research and analysis, integration of computing, communications, and business discipline, technical integration of enterprise components, strategic program management, program lifecycle (initiating, planning, executing, controlling, and closing), benefits management, stakeholder management, and governance
Continuous Learning	Recommended: Not essential but may be beneficial Examples: 10 hours a year	Recommended: Yes Examples: 40 hours annually (may include workshops and conferences)	Recommended: Yes Examples: 40 hours annually (may include learning and implementing best practices across enterprise, and thought leadership)
Education	Recommended: Not essential but may be beneficial Example Types: Bachelor's Example Topics: Finance or IT	Recommended: Not essential but may be beneficial Example Types: Bachelor's (certifications addressing advanced systems management, systems administration, system certification, risk analyst, governance, security risk management, controls, and audit management, information security core concepts [access control, social engineering, phishing attacks, and identity theft], strategic planning, finance, and vendor management may substitute education) Example Topics: N/A	Recommended: Not essential but may be beneficial Example Types: Master's, Ph.D. (certifications addressing advanced systems management, systems administration, system certification, risk analyst, five-step IT alignment process to create strategic business value for your company, building a business case beyond ROI, principles of leadership and how the CIO uses them to strengthen the IT alignment process, and corporate political communications and corporate political capital may substitute education) Example Topics: N/A
Experiential Learning	Recommended: Not essential but may be beneficial Examples: Macros, shadowing, rotations, mentorship or apprenticeship, management succession program, and legislation	Recommended: Yes Examples: Interagency rotation, mentor/mentee, information assurance	Recommended: Yes Examples: 2+ years of experience Interagency rotation, knowledge sharing, mentoring, information assurance, and information assurance
Training	Recommended: Not essential but may be beneficial Example Types: N/A Example Topics: Acquisition planning, market research (understanding the marketplace), defining government requirements, effective pre-award communication, proposal evaluation, contract negotiation, contract administration management, effective inspection and acceptance, contract quality assurance and evaluation, contract closeout, contract reporting, business acumen and communications skill sets, and Contracting Officer Representative Tracking (CORT) tool	Recommended: Not essential but may be beneficial Example Types: N/A Example Topics: Network security vulnerability	Recommended: Not essential but may be beneficial Example Types: N/A Example Topics: Information system security

The NICE Framework data presented on these pages was last updated by NIST on July 7, 2020 and will be updated when the official Revision 1 data is released.