Oversee and Govern

Applies knowledge of data, information, processes, organizational interactions, skills, and analytical expertise, as well as systems, networks, and information exchange capabilities to manage acquisition programs. Executes duties governing hardware, software, and information system acquisition programs and other program management policies. Provides direct support for acquisitions that use information technology (IT) (including National Security Systems), applying IT-related laws and policies, and provides IT-related guidance throughout the total acquisition life cycle.

Below are the roles for this Specialty Area. Click each role to see the KSAs (Knowledge, Skills, and Abilities) and Tasks.

  • A0039: Ability to oversee the development and update of the life cycle cost estimate.
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0048: Knowledge of Risk Management Framework (RMF) requirements. 
  • K0072: Knowledge of resource management principles and techniques.
  • K0120: Knowledge of how information needs and collection requirements are translated, tracked, and prioritized across the extended enterprise.
  • K0126: Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) 
  • K0146: Knowledge of the organization's core business/mission processes.
  • K0154: Knowledge of supply chain risk management standards, processes, and practices.
  • K0165: Knowledge of risk threat assessment.
  • K0169: Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. 
  • K0235: Knowledge of how to leverage research and development centers, think tanks, academic research, and industry systems. 
  • K0257: Knowledge of information technology (IT) acquisition/procurement requirements.
  • K0270: Knowledge of the acquisition/procurement life cycle process. 
  • S0372: Skill to translate, track, and prioritize information needs and intelligence collection requirements across the extended enterprise. 
  • T0220: Resolve conflicts in laws, regulations, policies, standards, or procedures.
  • T0223: Review or conduct audits of information technology (IT) programs and projects.
  • T0277: Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
  • T0302: Develop contract language to ensure supply chain, system, network, and operational security are met.
  • T0377: Gather feedback on customer satisfaction and internal service performance to foster continual improvement.
  • T0415: Ensure that supply chain, system, network, performance, and cybersecurity requirements are included in contract language and delivered.
  • T0493: Lead and oversee budget, staffing, and contracting.
  • T0551: Draft and publish supply chain security and risk management documents.
  • Capability Indicators for IT Investment/Portfolio Manager
    Category Entry Intermediate Advanced
    Credentials/Certifications
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Certifications addressing network infrastructure, mobile device integration, hardware evaluation, operating systems, technical support, system security, access control, cryptography, assessments and audits, organizational security, security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Certifications addressing network types, network media, switching fundamentals, TCP/IP, IP addressing and routing, WAN technologies, operating and configuring IOS devices, managing network environments, system security, network infrastructure, access control, cryptography, assessments and audits, organizational security, risk management, categorization of information systems, selection of security controls, security control implementation and assessment, information system authorization, monitoring of security controls, strategic program management, program lifecycle (initiating, planning, executing, controlling, and closing), benefits management, stakeholder management, and governance
    • Recommended: Not essential but may be beneficial
    • Example Topics: Certifications addressing security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, information security governance, information risk management, security program development and management, information security incident management, change management and incident handling for managers, common attacks and malware, managing (access control, defense in depth and security policy, disaster recovery and contingency planning, employees and total cost of ownership, operational security, physical security and facility safety, privacy and web security, risk and ethics, security awareness and protecting intellectual property, the network infrastructure, quality and growth of the security organization, the use of cryptography, vulnerabilities, wireless security), network and endpoint security technologies, network protocols for managers, project management and business situational awareness, selling and managing the mission, enterprise security, risk management and incident response, research and analysis, integration of computing, communications, and business discipline, technical integration of enterprise components, strategic program management, program lifecycle (initiating, planning, executing, controlling, and closing), benefits management, stakeholder management, and governance
    Continuous Learning
    • Recommended: Not essential but may be beneficial
    • Examples: 10 hours a year
    • Recommended: Yes
    • Examples: 40 hours annually (may include workshops and conferences)
    • Recommended: Yes
    • Examples: 40 hours annually (may include learning and implementing best practices across enterprise, and thought leadership)
    Education
    • Recommended: Not essential but may be beneficial
    • Example Types: Bachelor's
    • Example Topics: Finance or IT
    • Recommended: Not essential but may be beneficial
    • Example Types: Bachelor's (certifications addressing advanced systems management, systems administration, system certification, risk analyst, governance, security risk management, controls, and audit management, information security core concepts [access control, social engineering, phishing attacks, and identity theft], strategic planning, finance, and vendor management may substitute education)
    • Example Topics: N/A
    • Recommended: Not essential but may be beneficial
    • Example Types: Master's, Ph.D. (certifications addressing advanced systems management, systems administration, system certification, risk analyst, five-step IT alignment process to create strategic business value for your company, building a business case beyond ROI, principles of leadership and how the CIO uses them to strengthen the IT alignment process, and corporate political communications and corporate political capital may substitute education)
    • Example Topics: N/A
    Experiential Learning
    • Recommended: Not essential but may be beneficial
    • Examples: Macros, shadowing, rotations, mentorship or apprenticeship, management succession program, and legislation
    • Recommended: Yes
    • Examples: Interagency rotation, mentor/mentee, information assurance
    • Recommended: Yes
    • Examples: 2+ years of experience Interagency rotation, knowledge sharing, mentoring, information assurance, and information assurance
    Training
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Acquisition planning, market research (understanding the marketplace), defining government requirements, effective pre-award communication, proposal evaluation, contract negotiation, contract administration management, effective inspection and acceptance, contract quality assurance and evaluation, contract closeout, contract reporting, business acumen and communications skill sets, and Contracting Officer Representative Tracking (CORT) tool
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Network security vulnerability
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Information system security
  • A0056: Ability to ensure security practices are followed throughout the acquisition process.
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0043: Knowledge of industry-standard and organizationally accepted analysis principles and methods. 
  • K0047: Knowledge of information technology (IT) architectural concepts and frameworks.
  • K0048: Knowledge of Risk Management Framework (RMF) requirements. 
  • K0072: Knowledge of resource management principles and techniques.
  • K0090: Knowledge of system life cycle management principles, including software security and usability.
  • K0120: Knowledge of how information needs and collection requirements are translated, tracked, and prioritized across the extended enterprise.
  • K0126: Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) 
  • K0148: Knowledge of import/export control regulations and responsible agencies for the purposes of reducing supply chain risk.
  • K0154: Knowledge of supply chain risk management standards, processes, and practices.
  • K0165: Knowledge of risk threat assessment.
  • K0169: Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. 
  • K0198: Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions). 
  • K0200: Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).
  • K0235: Knowledge of how to leverage research and development centers, think tanks, academic research, and industry systems. 
  • K0257: Knowledge of information technology (IT) acquisition/procurement requirements.
  • K0270: Knowledge of the acquisition/procurement life cycle process. 
  • S0038: Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
  • S0085: Skill in conducting audits or reviews of technical systems.
  • S0372: Skill to translate, track, and prioritize information needs and intelligence collection requirements across the extended enterprise. 
  • T0072: Develop methods to monitor and measure risk, compliance, and assurance efforts.
  • T0207: Provide ongoing optimization and problem-solving support.
  • T0208: Provide recommendations for possible improvements and upgrades.
  • T0223: Review or conduct audits of information technology (IT) programs and projects.
  • T0256: Evaluate the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements.
  • T0389: Review service performance reports identifying any significant issues and variances, initiating, where necessary, corrective actions and ensuring that all outstanding issues are followed up.
  • T0412: Conduct import/export reviews for acquiring systems and software.
  • T0415: Ensure that supply chain, system, network, performance, and cybersecurity requirements are included in contract language and delivered.
  • Capability Indicators for IT Program Auditor
    Category Entry Intermediate Advanced
    Credentials/Certifications
    • Recommended: N/A
    • Example Types: N/A
    • Example Topics: N/A
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications that address system security, network infrastructure, access control, cryptography, assessments and audits, and organizational security
    • Recommended: Yes
    • Example Topics: Certifications that address security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, information security governance, information risk management
    Continuous Learning
    • Recommended: N/A
    • Examples: N/A
    • Recommended: Yes
    • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
    • Recommended: Yes
    • Examples: 40 hours annually (may include mentoring, shadowing, conferences, webinars, or rotations)
    Education
    • Recommended: No (not an Entry-level Work Role)
    • Example Types: N/A
    • Example Topics: N/A
    • Recommended: Yes
    • Example Types: Bachelor's (certifications systems administration, risk analysis, governance, security risk management, controls, audit management, information security core concepts [access control, social engineering, phishing attacks, and identity theft], strategic planning, finance, and vendor management may substitute education)
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
    • Recommended: Yes
    • Example Types: Bachelor's (certifications addressing advanced systems management, systems administration, system certification, risk analysis, building a business case beyond ROI, principles of leadership and how the CIO uses them to strengthen the IT alignment process, and corporate political communications and corporate political capital may substitute education)
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
    Experiential Learning
    • Recommended: N/A
    • Examples: N/A
    • Recommended: Yes
    • Examples: Prior information assurance experience
    • Recommended: Yes
    • Examples: Prior information assurance experience
    Training
    • Recommended: N/A
    • Example Types: N/A
    • Example Topics: N/A
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Network security vulnerability, internal auditing, audit planning, information systems, Sarbanes-Oxley (SOX), accounting, risk assessment, project management, business process, new controls for product and service integrity, and control objectives for information and related technologies (COBIT)
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Information system security, internal auditing, audit planning, information systems, SOX, accounting, risk assessment, project management, business process, new controls for product and service integrity, and COBIT
  • A0009: Ability to apply supply chain risk management standards.
  • A0039: Ability to oversee the development and update of the life cycle cost estimate.
  • A0045: Ability to evaluate/ensure the trustworthiness of the supplier and/or product.
  • A0056: Ability to ensure security practices are followed throughout the acquisition process.
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0012: Knowledge of capabilities and requirements analysis. 
  • K0043: Knowledge of industry-standard and organizationally accepted analysis principles and methods. 
  • K0047: Knowledge of information technology (IT) architectural concepts and frameworks.
  • K0048: Knowledge of Risk Management Framework (RMF) requirements. 
  • K0059: Knowledge of new and emerging information technology (IT) and cybersecurity technologies. 
  • K0072: Knowledge of resource management principles and techniques.
  • K0090: Knowledge of system life cycle management principles, including software security and usability.
  • K0101: Knowledge of the organization’s enterprise information technology (IT) goals and objectives.
  • K0120: Knowledge of how information needs and collection requirements are translated, tracked, and prioritized across the extended enterprise.
  • K0126: Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) 
  • K0146: Knowledge of the organization's core business/mission processes.
  • K0148: Knowledge of import/export control regulations and responsible agencies for the purposes of reducing supply chain risk.
  • K0154: Knowledge of supply chain risk management standards, processes, and practices.
  • K0164: Knowledge of functionality, quality, and security requirements and how these will apply to specific items of supply (i.e., elements and processes).
  • K0165: Knowledge of risk threat assessment.
  • K0169: Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. 
  • K0194: Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration. 
  • K0196: Knowledge of Import/Export Regulations related to cryptography and other security technologies. 
  • K0198: Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions). 
  • K0200: Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).
  • K0235: Knowledge of how to leverage research and development centers, think tanks, academic research, and industry systems. 
  • K0257: Knowledge of information technology (IT) acquisition/procurement requirements.
  • K0270: Knowledge of the acquisition/procurement life cycle process. 
  • S0038: Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
  • S0372: Skill to translate, track, and prioritize information needs and intelligence collection requirements across the extended enterprise. 
  • T0072: Develop methods to monitor and measure risk, compliance, and assurance efforts.
  • T0174: Perform needs analysis to determine opportunities for new and improved business process solutions.
  • T0196: Provide advice on project costs, design concepts, or design changes.
  • T0199: Provide enterprise cybersecurity and supply chain risk management guidance for development of the Continuity of Operations Plans.
  • T0207: Provide ongoing optimization and problem-solving support.
  • T0208: Provide recommendations for possible improvements and upgrades.
  • T0220: Resolve conflicts in laws, regulations, policies, standards, or procedures.
  • T0223: Review or conduct audits of information technology (IT) programs and projects.
  • T0256: Evaluate the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements.
  • T0273: Develop and document supply chain risks for critical system elements, as appropriate.
  • T0277: Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
  • T0340: Act as a primary stakeholder in the underlying information technology (IT) operational processes and functions that support the service, provide direction and monitor all significant activities so the service is delivered successfully.
  • T0354: Coordinate and manage the overall service provided to a customer end-to-end.
  • T0370: Ensure that appropriate Service-Level Agreements (SLAs) and underpinning contracts have been defined that clearly set out for the customer a description of the service and the measures for monitoring the service.
  • T0377: Gather feedback on customer satisfaction and internal service performance to foster continual improvement.
  • T0379: Manage the internal relationship with information technology (IT) process owners supporting the service, assisting with the definition and agreement of Operating Level Agreements (OLAs).
  • T0389: Review service performance reports identifying any significant issues and variances, initiating, where necessary, corrective actions and ensuring that all outstanding issues are followed up.
  • T0394: Work with other service managers and product owners to balance and prioritize services to meet overall customer requirements, constraints, and objectives.
  • T0407: Participate in the acquisition process as necessary.
  • T0412: Conduct import/export reviews for acquiring systems and software.
  • T0414: Develop supply chain, system, network, performance, and cybersecurity requirements.
  • T0415: Ensure that supply chain, system, network, performance, and cybersecurity requirements are included in contract language and delivered.
  • T0481: Identify and address cyber workforce planning and management issues (e.g. recruitment, retention, and training).
  • T0493: Lead and oversee budget, staffing, and contracting.
  • T0551: Draft and publish supply chain security and risk management documents.
  • Capability Indicators for IT Project Manager
    Category Entry Intermediate Advanced
    Credentials/Certifications
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications that address security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, and project management (initiating, planning executing, monitoring and controlling, closing)
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications that address project management (initiating, planning executing, monitoring and controlling, and closing), security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, system security, network infrastructure, access control, cryptography, assessments and audits, and organizational security
    • Recommended: Yes
    • Example Topics: Certifications that address project management (initiating, planning executing, monitoring and controlling, closing), security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security
    Continuous Learning
    • Recommended: Yes
    • Examples: Professional memberships, forums, roundtables; online training courses, and maintaining certifications
    • Recommended: Yes
    • Examples: 40 hours annually (may include professional memberships, forums, lunch and learns, roundtables, online training courses, and maintaining certifications)
    • Recommended: Yes
    • Examples: 40 hours annually (may include mentoring, rotations, professional memberships, maintaining certifications, speaking at conferences)
    Education
    • Recommended: Not essential but may be beneficial
    • Example Types: No degree, Associate's, bachelor's, master's
    • Example Topics: Business, cybersecurity, math, engineering and technology, information assurance, and project management
    • Recommended: Yes
    • Example Types: Bachelor's (certifications addressing advanced systems management, systems administration, information systems security, system certification, risk analysis, governance, security risk management, controls, audit management, information security core concepts [access control, social engineering, phishing attacks, and identity theft], strategic planning, finance, and vendor management may substitute education)
    • Example Topics: Engineering and technology, information assurance, project management
    • Recommended: Yes
    • Example Types: Bachelor's, Master's, Ph.D. (certifications addressing advanced systems management, systems administration, information systems security, system certification, risk analysis, five-step IT alignment process to create strategic business value for your company, building a business case beyond ROI, principles of leadership and how the CIO uses them to strengthen the IT alignment process, and corporate political communications/political capital may substitute education)
    • Example Topics: Project management, M.B.A. (business administration, engineering and technology, and information assurance)
    Experiential Learning
    • Recommended: Not essential but may be beneficial
    • Examples: 6 months-5 years of experience leading and directing projects, leading working groups, networking in other organizations and within own organization
    • Recommended: Yes
    • Examples: 1-7 years of developing skills in IT and project management, full-time work experience in security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security; 10 years of experience leading working groups, large complex projects, networking in other organizations and within your own organization, supervised on-the-job training with privileged information assurance
    • Recommended: Yes
    • Examples: 8-15+ years working in IT/PM role, successfully lead and directed large complex projects and teams, information assurance, and information assurance
    Training
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: IT, workplace-provided training, contract writing, basics of project management, leadership courses, technical training, and public speaking
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Workplace-provided training, online training, workshops, boot camps for IT project management, leadership, public speaking, network security vulnerability
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: IT, project management, leadership, budget, risk management, public speaking, and information system security management
  • A0009: Ability to apply supply chain risk management standards.
  • A0031: Ability to conduct and implement market research to understand government and industry capabilities and appropriate pricing.
  • A0039: Ability to oversee the development and update of the life cycle cost estimate.
  • A0045: Ability to evaluate/ensure the trustworthiness of the supplier and/or product.
  • A0056: Ability to ensure security practices are followed throughout the acquisition process.
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0043: Knowledge of industry-standard and organizationally accepted analysis principles and methods. 
  • K0048: Knowledge of Risk Management Framework (RMF) requirements. 
  • K0059: Knowledge of new and emerging information technology (IT) and cybersecurity technologies. 
  • K0072: Knowledge of resource management principles and techniques.
  • K0090: Knowledge of system life cycle management principles, including software security and usability.
  • K0120: Knowledge of how information needs and collection requirements are translated, tracked, and prioritized across the extended enterprise.
  • K0126: Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) 
  • K0148: Knowledge of import/export control regulations and responsible agencies for the purposes of reducing supply chain risk.
  • K0150: Knowledge of enterprise incident response program, roles, and responsibilities.
  • K0154: Knowledge of supply chain risk management standards, processes, and practices.
  • K0164: Knowledge of functionality, quality, and security requirements and how these will apply to specific items of supply (i.e., elements and processes).
  • K0165: Knowledge of risk threat assessment.
  • K0169: Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. 
  • K0194: Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration. 
  • K0196: Knowledge of Import/Export Regulations related to cryptography and other security technologies. 
  • K0198: Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions). 
  • K0200: Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).
  • K0235: Knowledge of how to leverage research and development centers, think tanks, academic research, and industry systems. 
  • K0249: Knowledge of sustainment technologies, processes and strategies.
  • K0257: Knowledge of information technology (IT) acquisition/procurement requirements.
  • K0270: Knowledge of the acquisition/procurement life cycle process. 
  • S0038: Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
  • S0372: Skill to translate, track, and prioritize information needs and intelligence collection requirements across the extended enterprise. 
  • T0072: Develop methods to monitor and measure risk, compliance, and assurance efforts.
  • T0174: Perform needs analysis to determine opportunities for new and improved business process solutions.
  • T0196: Provide advice on project costs, design concepts, or design changes.
  • T0204: Provide input to implementation plans and standard operating procedures.
  • T0207: Provide ongoing optimization and problem-solving support.
  • T0208: Provide recommendations for possible improvements and upgrades.
  • T0220: Resolve conflicts in laws, regulations, policies, standards, or procedures.
  • T0223: Review or conduct audits of information technology (IT) programs and projects.
  • T0256: Evaluate the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements.
  • T0273: Develop and document supply chain risks for critical system elements, as appropriate.
  • T0277: Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
  • T0302: Develop contract language to ensure supply chain, system, network, and operational security are met.
  • T0340: Act as a primary stakeholder in the underlying information technology (IT) operational processes and functions that support the service, provide direction and monitor all significant activities so the service is delivered successfully.
  • T0354: Coordinate and manage the overall service provided to a customer end-to-end.
  • T0370: Ensure that appropriate Service-Level Agreements (SLAs) and underpinning contracts have been defined that clearly set out for the customer a description of the service and the measures for monitoring the service.
  • T0377: Gather feedback on customer satisfaction and internal service performance to foster continual improvement.
  • T0389: Review service performance reports identifying any significant issues and variances, initiating, where necessary, corrective actions and ensuring that all outstanding issues are followed up.
  • T0394: Work with other service managers and product owners to balance and prioritize services to meet overall customer requirements, constraints, and objectives.
  • T0412: Conduct import/export reviews for acquiring systems and software.
  • T0414: Develop supply chain, system, network, performance, and cybersecurity requirements.
  • T0493: Lead and oversee budget, staffing, and contracting.
  • T0525: Provide enterprise cybersecurity and supply chain risk management guidance.
  • T0551: Draft and publish supply chain security and risk management documents.
  • T0553: Apply cybersecurity functions (e.g., encryption, access control, and identity management) to reduce exploitation opportunities.
  • Capability Indicators for Product Support Manager
    Category Entry Intermediate Advanced
    Credentials/Certifications
    • Recommended: Yes
    • Example Types: Certifications that address any topics related to IT
    • Example Topics: N/A
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications that address network types, network media, switching fundamentals, TCP/IP, IP addressing and routing, WAN technologies, operating and configuring IOS devices, and managing network environments, risk management, categorization of information systems, selection of security controls, security control implementation and assessment, information system authorization, and monitoring of security controls
    • Recommended: Yes
    • Example Topics: Certifications that address security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, software development security, information security governance, information risk management, security program development and management, information security incident management, change management and incident handling for managers, common attacks and malware, managing access control, managing defense in depth and security policy, managing (disaster recovery and contingency planning, employees and total cost of ownership, operational security, physical security and facility safety, privacy and web security, risk and ethics, security awareness and protecting intellectual property, the network infrastructure, quality and growth of the security organization, cryptography, vulnerabilities, wireless security, network and endpoint security technologies), network protocols for managers, project management and business situational awareness, selling and managing the mission, enterprise security, risk management and incident response, research and analysis, integration of computing, communications and business disciplines, technical integration of enterprise components, strategic program management, program lifecycle (initiating, planning, executing, controlling, and closing), benefits management, stakeholder management, and governance
    Continuous Learning
    • Recommended: Yes
    • Examples: Mentoring
    • Recommended: Yes
    • Examples: 40 hours annually (may include attending conferences)
    • Recommended: Yes
    • Examples: 40 hours annually (may include interagency rotational programs, and attending and speaking at conferences)
    Education
    • Recommended: Not essential but may be beneficial
    • Example Types: Bachelor's
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
    • Recommended: Yes
    • Example Types: Bachelor's (certifications addressing advanced systems management, systems administration, information systems security, system certification, risk analysis, governance, security risk management, controls, audit management, information security core concepts [access control, social engineering, phishing attacks, identity theft], strategic planning, finance, and vendor management may substitute for education)
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
    • Recommended: Not essential but may be beneficial
    • Example Types: Bachelor's, Master's, Ph.D. (certifications addressing advanced systems management, systems administration, information systems security, system certification, risk analysis, governance, security risk management, controls, and audit management, information security core concepts [access control, social engineering, phishing attacks, and identity theft], strategic planning, finance, and vendor management may substitute for education)
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
    Experiential Learning
    • Recommended: Yes
    • Examples: 2+ years of work experience with IT experience
    • Recommended: Yes
    • Examples: 2+ work years of experience in IT/ information assurance
    • Recommended: Yes
    • Examples: Management, training, information assurance, and information assurance
    Training
    • Recommended: N/A
    • Example Types: N/A
    • Example Topics: N/A
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Network security vulnerability
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Information system security
  • A0009: Ability to apply supply chain risk management standards.
  • A0039: Ability to oversee the development and update of the life cycle cost estimate.
  • A0045: Ability to evaluate/ensure the trustworthiness of the supplier and/or product.
  • A0056: Ability to ensure security practices are followed throughout the acquisition process.
  • K0001: Knowledge of computer networking concepts and protocols, and network security methodologies. 
  • K0002: Knowledge of risk management processes (e.g., methods for assessing and mitigating risk). 
  • K0003: Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy. 
  • K0004: Knowledge of cybersecurity and privacy principles. 
  • K0005: Knowledge of cyber threats and vulnerabilities. 
  • K0006: Knowledge of specific operational impacts of cybersecurity lapses. 
  • K0047: Knowledge of information technology (IT) architectural concepts and frameworks.
  • K0048: Knowledge of Risk Management Framework (RMF) requirements. 
  • K0072: Knowledge of resource management principles and techniques.
  • K0090: Knowledge of system life cycle management principles, including software security and usability.
  • K0101: Knowledge of the organization’s enterprise information technology (IT) goals and objectives.
  • K0120: Knowledge of how information needs and collection requirements are translated, tracked, and prioritized across the extended enterprise.
  • K0126: Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161) 
  • K0146: Knowledge of the organization's core business/mission processes.
  • K0148: Knowledge of import/export control regulations and responsible agencies for the purposes of reducing supply chain risk.
  • K0154: Knowledge of supply chain risk management standards, processes, and practices.
  • K0164: Knowledge of functionality, quality, and security requirements and how these will apply to specific items of supply (i.e., elements and processes).
  • K0165: Knowledge of risk threat assessment.
  • K0169: Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures. 
  • K0194: Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration. 
  • K0196: Knowledge of Import/Export Regulations related to cryptography and other security technologies. 
  • K0198: Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions). 
  • K0200: Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).
  • K0235: Knowledge of how to leverage research and development centers, think tanks, academic research, and industry systems. 
  • K0257: Knowledge of information technology (IT) acquisition/procurement requirements.
  • K0270: Knowledge of the acquisition/procurement life cycle process. 
  • S0038: Skill in identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
  • S0372: Skill to translate, track, and prioritize information needs and intelligence collection requirements across the extended enterprise. 
  • T0066: Develop and maintain strategic plans.
  • T0072: Develop methods to monitor and measure risk, compliance, and assurance efforts.
  • T0174: Perform needs analysis to determine opportunities for new and improved business process solutions.
  • T0199: Provide enterprise cybersecurity and supply chain risk management guidance for development of the Continuity of Operations Plans.
  • T0220: Resolve conflicts in laws, regulations, policies, standards, or procedures.
  • T0223: Review or conduct audits of information technology (IT) programs and projects.
  • T0256: Evaluate the effectiveness of procurement function in addressing information security requirements and supply chain risks through procurement activities and recommend improvements.
  • T0273: Develop and document supply chain risks for critical system elements, as appropriate.
  • T0277: Ensure that all acquisitions, procurements, and outsourcing efforts address information security requirements consistent with organization goals.
  • T0302: Develop contract language to ensure supply chain, system, network, and operational security are met.
  • T0340: Act as a primary stakeholder in the underlying information technology (IT) operational processes and functions that support the service, provide direction and monitor all significant activities so the service is delivered successfully.
  • T0354: Coordinate and manage the overall service provided to a customer end-to-end.
  • T0377: Gather feedback on customer satisfaction and internal service performance to foster continual improvement.
  • T0379: Manage the internal relationship with information technology (IT) process owners supporting the service, assisting with the definition and agreement of Operating Level Agreements (OLAs).
  • T0407: Participate in the acquisition process as necessary.
  • T0412: Conduct import/export reviews for acquiring systems and software.
  • T0414: Develop supply chain, system, network, performance, and cybersecurity requirements.
  • T0415: Ensure that supply chain, system, network, performance, and cybersecurity requirements are included in contract language and delivered.
  • T0481: Identify and address cyber workforce planning and management issues (e.g. recruitment, retention, and training).
  • T0493: Lead and oversee budget, staffing, and contracting.
  • T0551: Draft and publish supply chain security and risk management documents.
  • Capability Indicators for Program Manager
    Category Entry Intermediate Advanced
    Credentials/Certifications
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Certifications that address requirements development and management processing, systems engineering, testing and evaluation, lifecycle logistics, contracting, business, cost, financial management, leadership, strategic program management, program lifecycle (initiating, planning, executing, controlling, closing), benefits management, stakeholder management, governance, and a data-driven approach and methodology for eliminating defects
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Certifications that address project management (initiating, planning executing, monitoring and controlling, and closing), requirements development and management processing, systems engineering, testing and evaluation, lifecycle logistics, contracting, business, cost, financial management, leadership, strategic program management, program lifecycle (initiating, planning, executing, controlling, closing), benefits management, stakeholder management, governance, system security, network infrastructure, access control, cryptography, assessments and audits, and organizational security
    • Recommended: Yes
    • Example Topics: Certifications that address strategic program management, program lifecycle (initiating, planning, executing, controlling, and closing), benefits management, stakeholder management, governance, security and risk management, asset security, security engineering, communications and network security, identity and access management, security assessment and testing, security operations, and software development security
    Continuous Learning
    • Recommended: Yes
    • Examples: 20-60 hours annually (may include maintaining certifications, attending symposium/conferences, self-directed study, and taking higher education coursework)
    • Recommended: Yes
    • Examples: 40-80 hours annually (may include conferences, maintaining certification, on-the-job training for next level/increasing responsibilities, developmental assignments, shadowing, rotations, seminars, conferences, brown bags, and presentations)
    • Recommended: Yes
    • Examples: 40-120 hours annually (may include holding elected/appointed positions [e.g., committee leadership roles or attending and/or presenting at educational conferences or meetings], mentoring, and maintaining certifications)
    Education
    • Recommended: Not essential but may be beneficial
    • Example Types: Associate's, Bachelor's
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
    • Recommended: Yes
    • Example Types: Associate's, Bachelor's (certifications addressing advanced systems management, systems administration, information systems security, system certification, risk analysis, governance, security risk management, controls, audit management, information security core concepts [access control, social engineering, phishing attacks, and identity theft], strategic planning, finance, and vendor management may substitute for education)
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
    • Recommended: Yes
    • Example Types: Master's, Ph.D. (certifications addressing advanced systems management, systems administration, information systems security, system certification, risk analysis, governance, security risk management, controls, and audit management, information security core concepts [access control, social engineering, phishing attacks, and identity theft], strategic planning, finance, and vendor management may substitute for education)
    • Example Topics: Computer science, cybersecurity, information technology, software engineering, information systems, computer engineering
    Experiential Learning
    • Recommended: Yes
    • Examples: 3+ years of program management experience with a budget of $10 million to $50 million, project management, mentoring, soft skills, 6-month rotations
    • Recommended: Yes
    • Examples: 5+ years of program management experience with a budget of $50 million to $100 million, handling day-to-day responsibilities, information assurance
    • Recommended: Yes
    • Examples: 7+ years of program management experience with a budget of $100 million+, overseeing all assignments involving the program, managing large and complex projects, coach others, presenting at conferences, mentoring other managers
    Training
    • Recommended: Not essential but may be beneficial
    • Example Types: N/A
    • Example Topics: Hacking trends
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Hacking trends, contracting, business cost and financial management, applied leadership in projects and programs, and network security vulnerability
    • Recommended: Yes
    • Example Types: N/A
    • Example Topics: Leadership, program management, strategy, business, cost and financial management, hacking trends, online training, and publications